I'd really prefer that we merge the existing certificate with the new
certificate. This is particularly important as gpg strips old self signatures
when exporting certificates. One consequence of replacing an existing
certificate with a new version is that existing packages may not verify any
more, which is annoying. Another is that we may remove a revocation
certificate, which is dangerous.
If we don't need to order versions, then using the hash as the version seems
reasonable. Is that correct?
If we use the hash of the "blob," this may mean that we have version A
installed, the user installs version B, and as a result C is installed. Is
that okay?
Using a hash also assumes a canonical form. OpenPGP certificates don't have a
canonical form. Packets, for instance, can be reordered. Is that an issue?
It occurs to me that for the internal backend, this isn't really a problem as
the only thing that really matters is the primary key packet. So we can
probably come up with a straightforward hack.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2577#issuecomment-1719111070
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2577/1719111...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
