David Cantrell writes:
I don't really consider this a thing about saving space or making the output of 'rpm -qa' look nicer or something, but rather being good users of GPG. If we create and then phase out signing keys, then part of our process should also involve sending revocations for the old keys. And that process could be automated by a dnf plugin too. Leaving old keys around on the system for verification purposes presents a risk should the old key become compromised.
Pretty sure I recall that a signing key was potentially compromised, some years ago, and the entire distro had to be re-signed with a new key.
… Yup. Just checked. Fedora 9 had to be re-signed with a new pgp key. How quickly people forget.Personally, every few releases I've manually gone through, and nuked old repo keys.
pgptYkYgKH6e4.pgp
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
