Adam Williamson wrote: > On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote: > > On 12/17/2012 01:58 AM, Adam Williamson wrote: > > > fedup essentially automates doing yum distro-sync across a reboot > > > and in an isolated environment > > > > I don't understand---the discussion started by pointing out that > > fedup does not check signatures, then someone said that yum > > distro-sync does it properly, and you're saying that fedup just > > automates distro-sync. At which point is the signature checking > > disabled then? and can it be restored? > > anyhow, the tricky thing here lies in somehow making it safe for fedup > to *automatically* import the correct key for the next release. This > is a subtlish problem. There's another thing that also needs to be fixed. If I've understood what I've read correctly, then Fedup downloads a kernel and a ramdisk which make up that isolated environment that Adam mentioned. Those files aren't RPM packages and aren't signed like the packages are. Those who have the secret keys need to start signing the kernel/ramdisk pair, and Fedup needs to verify that signature. Naturally the signature must be verified before the kernel/ramdisk pair is booted. Björn Persson -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
