On Tue, Aug 26, 2008 at 12:16 PM, Warren Togami <wtogami(a)redhat.com> wrote:
5) In a few weeks after all F8+ packages are resigned with the new key,
revoke the old key. The only way we can revoke the old key is to rpm -e
it. Unfortunately, skvidal did some research into ways we could
possibly achieve this and our options are not good. rpm -e is
impossible during rpm %post because it locks the transaction. We really
do need a way to automate revocation of the old key. It seems we have a
few weeks to figure out a way to do it.
(Idea: Perhaps we add a hack to rpm itself in a package update? Ugly as
hell, but what other options do we have?)
Drop a script in /etc/cron.hourly that rpm -e's the key and then
deletes/disables itself.
--
Jeff Ollie
"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."
-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"