On 11/01/2017 11:51 PM, Sam Varshavchik wrote:

> I don't think much of expiring either. But keys for prior releases
> should simply be removed, as part of the upgrade process, or on the
> first boot after a successfull upgrade.
> Now, if we go this way, we have to make sure we don't turn a bad
> situation into worse one. It's possible that a botched upgrade might
> end up with a system that's still bootable, so prior releases pgp keys
> should be left alone until it's known that fedup did its job
> successfully.
> But once an upgrade is complete, prior release's pgp keys have
> absolutely no value in them, whatsoever, except as an additional
> potential compromise vector.

Packages that was built for older releases are still distributed and
used in newer versions.

A package built for Fedora 24, signed with the Fedora 25 key, running on
my Fedora 26 setup.

$ gpg2 < /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2016-03-31 [SCE]
uid           Fedora 25 Primary (25) <fedora-25-prim...@fedoraproject.org>

$ rpm -qi maven-shared-io
Name        : maven-shared-io
Epoch       : 1
Version     : 3.0.0
Release     : 2.fc24
Architecture: noarch
Install Date: Sat 29 Oct 2016 12:26:04 AM CEST
Group       : Unspecified
Size        : 64077
License     : ASL 2.0
Signature   : RSA/SHA256, Sat 02 Apr 2016 12:12:02 AM CEST, Key ID
Source RPM  : maven-shared-io-3.0.0-2.fc24.src.rpm
Build Date  : Thu 04 Feb 2016 10:36:28 AM CET
Build Host  : arm01-builder21.arm.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://maven.apache.org/shared/maven-shared-io
Summary     : API for I/O support like logging, download or file scanning
Description :
API for I/O support like logging, download or file scanning.

$ cat /etc/fedora-release
Fedora release 26 (Twenty Six)

Attachment: signature.asc
Description: OpenPGP digital signature

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to