On 2020-04-21 20:19, Sam Varshavchik wrote:
ToddAndMargo via users writes:
Hi Ed,
Ooops. Forgot to reinstall the key. :'(
And now everything works right.
Thank you for sticking this through! You are awesome!
To answer your other questions: the GPG keys for older Fedora releases
are harmless.
But I have believed, for quite some time, that they are a low risk
security hole. A signing PGP key was compromised at least once, many
years ago, forcing the whole release to get re-signed.
If one of the older releases' PGP keys gets compromised, things might
get a bit dicey, if a few more dominoes can get felled, in the right
direction. Say someone swipes F29's PGP key, right now. Hoo boy. A lot
of systems will probably trust anything signed by that key.
I always thought that (these days) dnf system-upgrade should, at some
point, delete the old release's pgp key. I dimly recall seeing something
in Bugzilla about it. Every few releases I sift through my RPM
databases, and manually delete old release keys.
Why are pgp keys in the rpm database anyway? That seems like a bunch of
extra work. /etc/yum.repos.d already contains:
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
So, why isn't that enough? This should be sufficient to verify
signatures on download packages. Why do they have to get imported
somewhere in the rpm database, as a fake package, in order to be useful?
Would it hurt anything to remove the old ones?
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
