The yum-conf should have been updated automatically unless it has been
changed and in that case the .rpmnew was made.
I think the way redhat did it was very confusing and would have caused
other problems.
We know this is a hard pill to swallow.
-connie sieh
On Thu, 23 Jul 2009, Robert E. Blair wrote:
This is a multi-part message in MIME format.
--Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7BIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I see the same problem. It is a bit of a mess because I too always set
gpgcheck=1 and that means a hand edit of all the repo files to recover
since many have changed in other ways as well. It seems like asking for
trouble to set gpgcheck=0 as is the default.
But if you have to fix something manually you might as well fix the
yum.conf to include the new key.
Kelvin Raywood wrote:
| Now that a couple of package updates (libtiff, libtiff-devel) have been
| signed with the new SL signing key, a couple of issues have arisen that
| are causing automatic updates to fail.
|
| In SL 5.1 (and possibly SL 5.0) the release number of the sl-release
| package was not incremented and so those systems did not receive the new
| keys.
|
| [email protected]> rpm -q --changelog sl-release
| * Fri May 23 2008 Troy Dawson <[email protected]> - 5.1-2
| - Changed sources to be 51 instead of 5rolling
|
| ...
|
| ie, sl-release has been at at 5.1-2 since May 2008
|
| The new version of the package is the same release number and the May
| 23, 2008 entry from the changelog has disappeared.
|
| Another cause of update failures is that if the yum repo files have been
| modified (e.g. to enable signature checking), then the update to
| yum-conf added created .rpmnew files but left the modified files in
| place. This is correct behaviour but it means that the path to the new
| key is not in the .repo files and so security updates fail because the
| repository now has packages signed with the new key.
|
| For some systems it is not sufficient to just fix the .repo files. If
| they have missed the update to sl-release because they've been
| offline, or because of the release number problem above, then updates
| will continue to fail because they don't have the new key. The solutions
| on any individual system is fairly straight forward; disable signature
| checking or import the new keys manually. However at TRIUMF (and I
| suspect other institutions) there are a large number of desktop PCs
| managed by their owners; some of whom are less than diligent about
| reading email sent to root about failing yum updates.
|
| When Fedora changed their signing key last year, they created new
| repositories (i386.newkey, x86_64.newkey) and systems were updated in a
| two-step. First the yum-conf package installed new .repo files pointing
| at the new repositories. Then all new updates went to the new
| repositories. This avoided update failures because of missing keys.
|
| Do most people just leave their signature checking disabled and so don't
| have the problem or have I missed something obvious here?
|
| I'm a little surprised that this issue has not already been raised.
|
| Kel Raywood
| TRIUMF
- --
Robert E. Blair, Room C221, Building 360
Argonne National Laboratory (High Energy Physics Division)
9700 South Cass Avenue, Argonne, IL 60439, USA
Phone: (630)-252-7545 FAX: (630)-252-5782
GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFKaKcwOMIGC6x7/XQRAlFHAKDD9DAyuNHC0H+jMkk09i7wF/bDzgCeOKrP
hzO5h/5JYdHm2lPvFUDc6co=
=Uk/X
-----END PGP SIGNATURE-----
--Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)
Content-type: text/x-vcard; charset=utf-8; name="reb.vcf"
Content-transfer-encoding: 7bit
Content-disposition: attachment; filename="reb.vcf"
begin:vcard
fn:Robert Blair
n:Blair;Robert
org:Argonne National Laboratory;High Energy Physics Division
adr:;;Room E277, Building 362, 9700 South Cass Avenue;Argonne;IL;60439;USA
email;internet:[email protected]
title:Physicist
tel;work:(630)-252-7545
tel;fax:(630)-252-5782
tel;home:(630)-495-3936
note;quoted-printable:Public GnuPG key available at:
http://www.hep.anl.gov/reb/key.asc=0D=0A=
x-mozilla-html:FALSE
url:http://www.hep.anl.gov/reb
version:2.1
end:vcard
--Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)--
