On Tue, 2012-12-18 at 02:05 +0100, Björn Persson wrote: > Adam Williamson wrote: > > On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote: > > > On 12/17/2012 01:58 AM, Adam Williamson wrote: > > > > fedup essentially automates doing yum distro-sync across a reboot > > > > and in an isolated environment > > > > > > I don't understand---the discussion started by pointing out that > > > fedup does not check signatures, then someone said that yum > > > distro-sync does it properly, and you're saying that fedup just > > > automates distro-sync. At which point is the signature checking > > > disabled then? and can it be restored? > > > > anyhow, the tricky thing here lies in somehow making it safe for fedup > > to *automatically* import the correct key for the next release. This > > is a subtlish problem. > > There's another thing that also needs to be fixed. If I've understood > what I've read correctly, then Fedup downloads a kernel and a ramdisk > which make up that isolated environment that Adam mentioned. Those files > aren't RPM packages and aren't signed like the packages are. Those who > have the secret keys need to start signing the kernel/ramdisk pair, and > Fedup needs to verify that signature. Naturally the signature must be > verified before the kernel/ramdisk pair is booted. That, we already have a bug for and it is being worked on, I believe. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
