fedup: does not verify source
Josh Stone
jistone at redhat.com
Mon Dec 17 19:10:27 UTC 2012
On 12/17/2012 10:58 AM, Adam Williamson wrote:
> When you do a yum distro-sync according to the instructions on the wiki,
> you are supposed to manually import the GPG key for the next release. If
> you're doing things Properly, you should somehow verify you're importing
> the correct key and not just blindly typing what a wiki page tells you
> to, but of course what most people do is blindly type what the wiki page
> tells them to...
>
> anyhow, the tricky thing here lies in somehow making it safe for fedup
> to *automatically* import the correct key for the next release. This is
> a subtlish problem.
Do the old keys sign the new keys? Would that be trustworthy enough?
More information about the devel
mailing list