On Sunday, 26 December 2021 11:25:21 GMT Roberto Sassu via devel wrote:
> From: Dan Čermák [mailto:dan.cermak@cgc-instruments.com]
> Sent: Sunday, December 26, 2021 7:10 AM
> Ben Cotton <bcotton(a)redhat.com> writes:
>
> *snip*
> > == Upgrade/compatibility impact ==
> > The user should ensure that software (not updated) from the old
> > distribution is packaged and the package header is signed, or he
> > should create and sign a custom digest list for the software he wishes
> > to use after the upgrade.
>
>
> Uhm, so locally/manually installed software (i.e. not signed by Fedora's
> signkeys) will silently break when switching to F36? How about 3rd party
> repositories?
This is the main point of the feature. It aims to protect the user
against untracked software spread in the disk, and to make him
accept the software he wants to run.
Most likely, initially this process will be manual (there is a tool
to generate a custom digest list). In the future, DIGLIM can
be extended (in user space) to recognize the integrity information
provided by the software developer.
A concrete case:
I use Fedora, a third-party repository, and a private repository for my
systems. The private repository is unsigned - it's just created via
createrepo, and contains RPMs I've built with mock locally.
What do I need to do if this feature is accepted, in order to not see any
impact? If I need to change any of the repositories I use and trust, can you
point me to step-by-step instructions I need to follow?
--
Simon