Zbigniew Jędrzejewski-Szmek wrote: > As to the implementation: the distro has a historical list of all keys > used to sign its packages. For any given release we know which keys > are "old". In some fixed location, distribute a file that lists the > hashes of "old keys" (old relative to the current distro release). > In case of Fedora this could be distributed by fedora-release package. > Whenever the user does an upgrade that adds _new_ keys, look at the > list generated by 'rpmkey --list' and for each key also on the list of > "old keys" query for removal. That’s fine for what it is, but it doesn’t help with keys for third-party repositories. I think the approach of looking in /etc/yum.repos.d/, and removing anything not referenced from there (as suggested at https://docs.fedoraproject.org/en-US/quick-docs/upgrading-fedora-offline/#sect-clean-up-old-keys) is better. -- Peter Oliver -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
