On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote: > On 10/31/2017 04:57 PM, Stephen Gallagher wrote: > > > > > > On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth <mike@cchtml.c > > om > > <mailto:mike@xxxxxxxxxx>> wrote: > > > > On 10/31/2017 03:52 AM, Miroslav Suchý wrote: > > > And I wonder: is it a good idea to keep old gpg keys in RPM > > db? > > Or should we automate the removal of old keys? > > > > I'd be all for cleaning up old keys. > > > > However, I would be cautious to not delete keys that are still > > in > > use. Example: User > > has Fedora 29 installed and has a package from Fedora 21 still > > installed as it was > > retired, but it has no dependencies that would cause it to > > fail. > > > > > > Correct me if I'm wrong, but we only check keys at installation > > time, so > > they'd be able to continue running just fine, but they'd be denied > > if > > they tried to reinstall it after F21 is EOL. Which seems perfectly > > reasonable to me; if you're using an EOL operating system, forcing > > people to have to pass --no-gpgcheck is a great way to get them to > > pause > > and reconsider their situation. > > Actually rpm by default checks signatures on queries and > verification > too, so there is some value in keeping the keys there, at least for > keys > that are actually in use. > Is it possible to mark keys so they can be used for verification but not for installation of new packages ? My personal worry is that old keys may get compromised over time, so it is a very good practice to regularly "disable" old keys. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
