On Thu, Dec 05, 2024 at 11:51:55AM +0200, Panu Matilainen wrote: > On 12/5/24 10:42 AM, Zbigniew Jędrzejewski-Szmek wrote: > > On Thu, Dec 05, 2024 at 08:53:05AM +0100, Jan Kolarik wrote: > > > Hi Zbyszek, > > > > > > Thank you for your interest in this proposal! > > > > > > I'd like to see behaviour where keys for EOL releases are removed as > > > > soon as possible. I.e. if I have upgraded to F42, but still have a > > > > package from F39, then keep the key for F39 so that rpm doesn't > > > > faceplant. But as soon as I remove the last package signed with that > > > > key, remove the key automatically. Does the proposed plugin implement > > > > something like this, and if not, would it be possible? > > > > > > > > > The primary use case this proposal aims to address is outlined in the > > > upstream ticket: https://github.com/rpm-software-management/dnf5/issues/1192. > > > Specifically, it focuses on scenarios where a repository key has expired > > > and been prolonged. In such cases, the system should remove the expired key > > > and fetch the updated one to ensure continued ability to install RPM > > > packages from the repository already configured on the system. > > > > OK. > > > I understand your point regarding Fedora keys, but that seems slightly > > > off-topic from the current proposal's direction. Moreover, I currently > > > don't see a generic, non-Fedora-specific way to handle such > > > situations—specifically, determining if a key was superseded by another > > > from a subsequent release and whether the old key is no longer needed. > > > > > > That said, if you have ideas on how to address this, I’d be happy to > > > discuss them further. > > > > I think the issue is not specific to Fedora and would apply to all > > distros using DNF/rpm. This is because of some generic properties: > > > > 1. rpm checks keys also when uinstalling packages and will fail to > > operate if the system has an rpm installed without a valid key (*). > > "fail to operate" is a rather wild exaggeration. > > Rpm does not currently require any keys to be present, and there's not a > single visible consequence if you remove all your keys. Oh, indeed. If the key is present but rpm doesn't like it (becase of the singature type or validity constraints), rpm will refuse to operate on the package (list it, uninstall, or upgrade). But if the key is just missing, rpm is happy. Even 'rpm -V' passes without any warning. You're right, I was misremembering the issue. So we probably could just uninstall old keys as part of the upgrade. [snip] > FWIW, we're working to have a rpmkeys --rebuild mode in rpm 6.0, which will > purge no longer valid keys as a part of its operation. > > We could also have a mode to look for unused keys I suppose. Ack. So I'm not sure where this functionality should be implemented. In dnf, in rpm, or maybe in some distro-specific tooling that is not part of the tools itself but an addition on top… Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue