On Tue, 2017-10-31 at 17:34 +0200, Panu Matilainen wrote:
On 10/31/2017 04:57 PM, Stephen Gallagher wrote:
>
>
> On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth <mike(a)cchtml.c
> om
> <mailto:mike@cchtml.com>> wrote:
>
> On 10/31/2017 03:52 AM, Miroslav Suchý wrote:
> > And I wonder: is it a good idea to keep old gpg keys in RPM
> db?
> Or should we automate the removal of old keys?
>
> I'd be all for cleaning up old keys.
>
> However, I would be cautious to not delete keys that are still
> in
> use. Example: User
> has Fedora 29 installed and has a package from Fedora 21 still
> installed as it was
> retired, but it has no dependencies that would cause it to
> fail.
>
>
> Correct me if I'm wrong, but we only check keys at installation
> time, so
> they'd be able to continue running just fine, but they'd be denied
> if
> they tried to reinstall it after F21 is EOL. Which seems perfectly
> reasonable to me; if you're using an EOL operating system, forcing
> people to have to pass --no-gpgcheck is a great way to get them to
> pause
> and reconsider their situation.
Actually rpm by default checks signatures on queries and
verification
too, so there is some value in keeping the keys there, at least for
keys
that are actually in use.
Is it possible to mark keys so they can be used for verification but
not for installation of new packages ?
My personal worry is that old keys may get compromised over time, so it
is a very good practice to regularly "disable" old keys.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc