On 11/01/2017 11:51 PM, Sam Varshavchik wrote: > I don't think much of expiring either. But keys for prior releases > should simply be removed, as part of the upgrade process, or on the > first boot after a successfull upgrade. > > Now, if we go this way, we have to make sure we don't turn a bad > situation into worse one. It's possible that a botched upgrade might > end up with a system that's still bootable, so prior releases pgp keys > should be left alone until it's known that fedup did its job > successfully. > > But once an upgrade is complete, prior release's pgp keys have > absolutely no value in them, whatsoever, except as an additional > potential compromise vector. Packages that was built for older releases are still distributed and used in newer versions. Example: A package built for Fedora 24, signed with the Fedora 25 key, running on my Fedora 26 setup. $ gpg2 < /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2016-03-31 [SCE] C437DCCD558A66A37D6F43724089D8F2FDB19C98 uid Fedora 25 Primary (25) <fedora-25-primary@xxxxxxxxxxxxxxxxx> $ rpm -qi maven-shared-io Name : maven-shared-io Epoch : 1 Version : 3.0.0 Release : 2.fc24 Architecture: noarch Install Date: Sat 29 Oct 2016 12:26:04 AM CEST Group : Unspecified Size : 64077 License : ASL 2.0 Signature : RSA/SHA256, Sat 02 Apr 2016 12:12:02 AM CEST, Key ID 4089d8f2fdb19c98 Source RPM : maven-shared-io-3.0.0-2.fc24.src.rpm Build Date : Thu 04 Feb 2016 10:36:28 AM CET Build Host : arm01-builder21.arm.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://maven.apache.org/shared/maven-shared-io Summary : API for I/O support like logging, download or file scanning Description : API for I/O support like logging, download or file scanning. $ cat /etc/fedora-release Fedora release 26 (Twenty Six)
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
