Re: fedora-gpg-keys not updated yet again

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



More below.

On 8/20/19 6:40 PM, Kevin Fenzi wrote:
> On 8/20/19 7:37 AM, Petr Mensik wrote:
>> Hi!
>>
>> I could not find a safe way to upgrade also this time. I found update
>> F32 [1], but not corresponding F31 just adding new key. I am missing
>> update similar to [2], just for F31 that once was Rawhide. It should be
>> version 31-0.5
>>
>> I found and reopened one old bug [3]. I do not think this is just second
>> time.
> 
> Yes, it is that version, but there is not any compose that it exists in
> yet.
> 
>> On 8/19/19 11:32 PM, Kevin Fenzi wrote:
>>> So, a few things to note:
>>>
>>> * fedora-repos was updated for rawhide, however, unfortunately, It had
>>> two extra spaces on the first line... "  " which made gpg consider it
>>> invalid. This is likely the cause of any breakage with rawhide (mock,
>>> containers, copr, etc). This has been fixed in the newest fedora-repos
>>> package for f32/rawhide.
>>>
>>> * There is no f31 repo because we have not yet had a fedora 31 branched
>>> compose finish. So, mirrormanager is pointing people to rawhide. This is
>>> likely the cause of all problems related to f31.
>> I think this is a major point. I could not find update with
>> fedora-repos-31-0.5 signed. Instead, there is 32-0.1 served both by f31
>> updates and rawhide repo. I think there must be first updated GPG keys
>> N, which increases just minor version, not a major one. Major version
>> should be increased only after branching. Unless I am mistaken, rawhide
>> served me 32-0.1 signed by key contained inside. Okay, I had rawhide
>> repo enabled. But even
>> $ dnf --repo=updates --releasever=31 upgrade fedora-gpg-keys
>> did not offer different version. What was worse, both were signed by the
>> same F32 key.
> 
> yes, because both f31 and f32 are currently pointing to f32 (rawhide).
> 
> If we had a f31 compose you would not have hit this. You would update to
> the new f31 version and from there you could upgrade to f32 or stay on f31.
> 
> kevin
> 

I think f32 key should NOT be used until this is fully separated and
compose for older versions exist. Unless that key was leaked somehow,
there is no hurry, right? That hurry makes pain to many people without
justification for it,
I think.

There would always be mass rebuild in later stage of F32, no need to
switch key immediately. I think new key should not be enabled for
signing in new Rawhide until all supported versions have that key in
stable updates repo. That is not yet true now.

I am thinking, is there written guidance how to switch signing key on a
branch? Are we prepared for emergency in case that key was leaked?

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@xxxxxxxxxx  PGP: 65C6C973

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux