On 10/31/2017 04:57 PM, Stephen Gallagher wrote:
On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth <mike@xxxxxxxxxx <mailto:mike@xxxxxxxxxx>> wrote:On 10/31/2017 03:52 AM, Miroslav Suchý wrote: > And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we automate the removal of old keys? I'd be all for cleaning up old keys. However, I would be cautious to not delete keys that are still in use. Example: User has Fedora 29 installed and has a package from Fedora 21 still installed as it was retired, but it has no dependencies that would cause it to fail.Correct me if I'm wrong, but we only check keys at installation time, so they'd be able to continue running just fine, but they'd be denied if they tried to reinstall it after F21 is EOL. Which seems perfectly reasonable to me; if you're using an EOL operating system, forcing people to have to pass --no-gpgcheck is a great way to get them to pause and reconsider their situation.
Actually rpm by default checks signatures on queries and verification too, so there is some value in keeping the keys there, at least for keys that are actually in use.
- Panu - _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
