gpg keys of older/newer fedora versions
Kevin Fenzi
kevin at scrye.com
Sat Aug 1 16:40:45 UTC 2015
On Fri, 17 Jul 2015 17:28:48 +0000
Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl> wrote:
> [In light of https://bugzilla.redhat.com/show_bug.cgi?id=1241383]
>
> 'dnf install --installroot=... --releasever=XX dnf' can be used to
> bootstrap a Fedora chroot. The only snag is that --nogpg is often
> recommended, because fedora-repos only provides the GPG keys for the
> current and next release.
>
> It would be convenient (and safe!) to provide keys for past and
> future releases, so such bootstrapping can be done without either
> importing the keys manually and/or using --nogpg.
>
> I thought I'd ask here first: is there a strong reason *not* to
> include those keys?
So, I missed this thread, but saw it from the bug filed:
https://bugzilla.redhat.com/show_bug.cgi?id=1246701
Several things here:
* If we ship gpg keys for old eol Fedora releases, aren't we
encouraging people to setup things we no longer support?
* If we only ship supported releases in each fedora-repos package, it
means more churn for that package for everyone as when a release goes
EOL we would need to push a new update that removes the old EOL key.
* As till pointed out, mock seems to already carry these keys, so some
coordination here seems like a good idea no matter what we do. ;)
* Can you describe the use case here a bit more? Why wouldn't you use
mock (which has the keys already) to make a chroot?
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150801/97027e87/attachment.sig>
More information about the devel
mailing list