On Sat, 2005-07-23 at 01:20 -1000, Warren Togami wrote: > I just noticed that using yum's default FC4 configuration, it is > seemingly impossible to install packages like docbook-utils which is > signed by a different GPG key than the default specified to that > repository in /etc/yum.repos.d/fedora.repo. I suppose this is partially > my fault because I'm the last person to touch that repo file, but it is > strange to me that I never noticed this problem until now. > > I *like* that yum enforces this strictly, but are there any good reasons > why we should allow packages in a repo to be signed by two or more valid > keys rather than a single key? > > Did we screw up by not resigning everything in base before pushing FC4, > or is this really a yum config problem? This is a screw up by not resigning everything. We've implemented support for multiple gpgkeys per-repo in yum 2.3.4 but fedora core should be signed with a single key. > Any ideas how we should fix this now? Should we resign the entire repo > and push that to mirrors? won't work - most mirrors don't re-sync core after the initial release. > Or maybe less radically update yum so the repo file allows both keys? > (Use this as a one-time kludge for FC4, and in the future make sure each > repo uses *one* key.) also won't work b/c a lot of people have modified their repo file. I'd recommend just not makin this mistake again. -sv
