Hi Jan, I support this proposal, it’s a good idea and it will certainly improve the user experience in this area. I have one question: > On 3. Dec 2024, at 18:18, Aoife Moloney via devel-announce <devel-announce@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > We aim to address customer issues when installing RPM packages from > repositories while outdated repository keys are present on the system. > These issues include expired keys, obsolete signing algorithms (e.g., > SHA1), or other problems that could be easily detected by tools like > an RPM PGP linter. Currently, PGP checks fail, and users must manually > remove expired keys using commands like `rpmkeys --delete`. > > The proposed solution is a new LIBDNF5 plugin. This plugin will act as > a hook, checking for invalid repository PGP keys on the system before > executing a DNF transaction. Does this mean that after switching to a more strict crypto-policy, the next run would remove (or propose to remove) keys that are no longer considered secure under that crypto-policy? Thanks, Clemens -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue