2008/9/10 Paul Wouters <paul(a)xelerance.com>:
On Tue, 9 Sep 2008, Jesse Keating wrote:
> Most users will simply need to apply the offered updates, and later
> apply any further updates, and verify/import the new GPG key.
> For more details and an FAQ, please see
>
https://fedoraproject.org/w/index.php?title=Enabling_new_signing_key
One question I don't see answered is whether the upgrade system purges
the trust on the old key from our systems after verification of the new
key. Otherwise, some DNS or wifi hack in the future could lead me to
a false update site using the old compromised key and my system would
still install those updates.
From the original notification:
"There will be further milestones in the future that involve redirection
of release package repos to match that of updates, and removing of old
gpg key from rpm trust."
i.e. at this point the old key is not purged, but it will be in the
future. Since the resigned repos of the fedora repo are not yet
activated (only the updates-newkey is activated), the old key is still
required to install software. That's my reading of the notice, anyhow.