New package distribution-gpg-keys

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Sat Oct 17 01:46:24 UTC 2015


On Fri, Oct 16, 2015 at 07:37:15PM -0500, Dennis Gilmore wrote:
> fedora-repos should have all the keys needed for upgrade. So the only thing needing the keys is mock. However I'm not sure you should include rpmfusion keys in Fedora.

On a related note, something that I thought about when trying to
verify old Fedora keys...
Would it be possible for people who create those keys (or other people
from release-engineering who can verify that they keys are correct) to
sign them with their private keys and upload the resulting signatures
to public key servers? It would provide an additional verification
path. Distribution package signing keys are important enough for this
to be worth the extra work imho.

Zbyszek


More information about the devel mailing list