On 2020-04-22 11:49, ToddAndMargo via test wrote: > On 2020-04-21 19:32, Ed Greshko wrote: >> >> >> On Wed, Apr 22, 2020, 09:41 ToddAndMargo via test <test@xxxxxxxxxxxxxxxxxxxxxxx <mailto:test@xxxxxxxxxxxxxxxxxxxxxxx>> wrote: >> >> On 2020-04-21 18:36, Ed Greshko wrote: >> > On 2020-04-22 08:21, ToddAndMargo via test wrote: >> >> Now the 64,000 dollar question is, is this a bug >> >> or normal operation? >> > >> > It is an issue for the Brave distribution to address. Not >> related to Fedora. >> > >> >> So, rpm was not suppose to overwrite the key? >> Sound a lot like an rpm bug to me. >> >> >> You will recall that the public key in installed as a separate act. > > Not to beat a dead horse, but was that act performed by > "rpm" (a Fedora package) suppose to have overwritten > the previous key or just existed without an error > message? No. Software packaged in the RPM format isn't by definition "Fedora". RedHat did write the RPMstandard but it is used buy lots of folks to package their Software. This includes Suse, RPMFusion,and Brave. It is up to the person creating the specific package to determine the actions taken duringinstall, upgrade, erasure. The public keys are used to check the signatures of the rpm packagers. They are normally controlled by a separate function. In the case of Fedora itself you have fedora-gpg-keys-31-3.noarch. Name : fedora-gpg-keys Version : 31 Release : 3 Architecture : noarch Size : 101 k Source : fedora-repos-31-3.src.rpm Repository : @System >From repo : updates Summary : Fedora RPM keys URL : https://fedoraproject.org/ License : MIT Description : This package provides the RPM signature keys. In the case of RPMFusion, there are multiple. One is rpmfusion-free-release. Name : rpmfusion-free-release Version : 31 Release : 1 Architecture : noarch Size : 8.7 k Source : rpmfusion-free-release-31-1.src.rpm Repository : @System >From repo : rpmfusion-free Summary : RPM Fusion (free) Repository Configuration URL : http://rpmfusion.org License : BSD Description : RPM Fusion free package repository files for yum and dnf : along with gpg public keys It doesn't appear that Brave does the same. It also isn't necessary, and seldom are old key removed as they are unique. I should have told you thatit was not necessary to erase the old Brave key as the old and the new had totally different names. So, running sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc Would have added gpg-pubkey-c2d4e821-5e7252b8 in addition to the older one c2d4e821-5d13a788 > >> >> Both the act of installing the key as well as the brave-browser are not supplied or supported by the Fedora Community. > > This is why my question is about the behavior of rpm not Brave The behavior of "rpm" is defined by the person/project. The Brave project, IMO, is deficient in this area. -- The key to getting good answers is to ask good questions. _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
