2008/9/10 Paul Wouters <paul@xxxxxxxxxxxxx>: > On Tue, 9 Sep 2008, Jesse Keating wrote: > >> Most users will simply need to apply the offered updates, and later >> apply any further updates, and verify/import the new GPG key. > >> For more details and an FAQ, please see >> https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key > > One question I don't see answered is whether the upgrade system purges > the trust on the old key from our systems after verification of the new > key. Otherwise, some DNS or wifi hack in the future could lead me to > a false update site using the old compromised key and my system would > still install those updates. > >From the original notification: "There will be further milestones in the future that involve redirection of release package repos to match that of updates, and removing of old gpg key from rpm trust." i.e. at this point the old key is not purged, but it will be in the future. Since the resigned repos of the fedora repo are not yet activated (only the updates-newkey is activated), the old key is still required to install software. That's my reading of the notice, anyhow. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
