On Tue, Oct 31, 2017 at 10:49 AM Michael Cronenworth <mike@cchtml.com> wrote:

On 10/31/2017 03:52 AM, Miroslav Suchý wrote:
> And I wonder: is it a good idea to keep old gpg keys in RPM db? Or should we automate the removal of old keys?

I'd be all for cleaning up old keys.

However, I would be cautious to not delete keys that are still in use. Example: User
has Fedora 29 installed and has a package from Fedora 21 still installed as it was
retired, but it has no dependencies that would cause it to fail.

Correct me if I'm wrong, but we only check keys at installation time, so they'd be able to continue running just fine, but they'd be denied if they tried to reinstall it after F21 is EOL. Which seems perfectly reasonable to me; if you're using an EOL operating system, forcing people to have to pass --no-gpgcheck is a great way to get them to pause and reconsider their situation.