Re: Remove old GPG keys?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Cantrell writes:


I don't really consider this a thing about saving space or making the
output of 'rpm -qa' look nicer or something, but rather being good users
of GPG.  If we create and then phase out signing keys, then part of our
process should also involve sending revocations for the old keys.  And
that process could be automated by a dnf plugin too.  Leaving old keys
around on the system for verification purposes presents a risk should
the old key become compromised.
Pretty sure I recall that a signing key was potentially compromised, some years ago, and the entire distro had to be re-signed with a new key. 

… Yup. Just checked. Fedora 9 had to be re-signed with a new pgp key.

How quickly people forget.
Personally, every few releases I've manually gone through, and nuked old repo keys.

Attachment: pgp3Ug61fYCid.pgp
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux