On 10/31/2017 04:15 PM, Sam Varshavchik wrote: > David Cantrell writes: > >> I don't really consider this a thing about saving space or making the >> output of 'rpm -qa' look nicer or something, but rather being good users >> of GPG. If we create and then phase out signing keys, then part of our >> process should also involve sending revocations for the old keys. And >> that process could be automated by a dnf plugin too. Leaving old keys >> around on the system for verification purposes presents a risk should >> the old key become compromised. > > Pretty sure I recall that a signing key was potentially compromised, > some years ago, and the entire distro had to be re-signed with a new key. Indeed. It has happened. It was very frustrating. > … Yup. Just checked. Fedora 9 had to be re-signed with a new pgp key. > > How quickly people forget. It's very easy to forget. > Personally, every few releases I've manually gone through, and nuked old > repo keys. And I think a lot of us tend to do that sort of housekeeping work, which was sort of the point of my response. We could make that a little better in our tools (if it's not already there in some capacity). Thanks, -- David Cantrell <dcantrell@xxxxxxxxxx> Red Hat, Inc. | Boston, MA | EST5EDT _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
