On 8/21/19 2:50 AM, Petr Mensik wrote:
I think f32 key should NOT be used until this is fully separated and
compose for older versions exist. Unless that key was leaked somehow,
there is no hurry, right? That hurry makes pain to many people without
justification for it,
I think.
Well, sure, I suggested we might want to 'pause' rawhide composes until
we have a branched next time, but that isn't great either because it
means people wanting to work on rawhide also have to wait for it.
There would always be mass rebuild in later stage of F32, no need to
switch key immediately. I think new key should not be enabled for
signing in new Rawhide until all supported versions have that key in
stable updates repo. That is not yet true now.
Sure, and we could push the new fedora-repos update sooner.
I don't disagree.
I am thinking, is there written guidance how to switch signing key on a
branch? Are we prepared for emergency in case that key was leaked?
We had to do this in fedora 9(?). Basically a new key was issued and
everything was resigned with that key and the repo was fedora9-newkey.
kevin