On 10/31/2017 04:15 PM, Sam Varshavchik wrote:
David Cantrell writes:
> I don't really consider this a thing about saving space or making the
> output of 'rpm -qa' look nicer or something, but rather being good users
> of GPG. If we create and then phase out signing keys, then part of our
> process should also involve sending revocations for the old keys. And
> that process could be automated by a dnf plugin too. Leaving old keys
> around on the system for verification purposes presents a risk should
> the old key become compromised.
Pretty sure I recall that a signing key was potentially compromised,
some years ago, and the entire distro had to be re-signed with a new key.
Indeed. It has happened. It was very frustrating.
… Yup. Just checked. Fedora 9 had to be re-signed with a new pgp
key.
How quickly people forget.
It's very easy to forget.
Personally, every few releases I've manually gone through, and
nuked old
repo keys.
And I think a lot of us tend to do that sort of housekeeping work, which
was sort of the point of my response. We could make that a little
better in our tools (if it's not already there in some capacity).
Thanks,
--
David Cantrell <dcantrell(a)redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT