Zdenek Dohnal venit, vidit, dixit 2025-07-08 09:22:06: > Hi all, > > thank you for all the work you did/are doing atm with datacenter move! > I'm looking forward to faster infrastructure for my builds and tests :) . > > Unfortunately (as with every big change) discrepancies are appearing and > although I've tried to check emails here and the blog post on the > community blog, I didn't find whether there are some steps to take for > packagers after the datacenter move, so I don't know atm whether the > issues I see are part of post movement work and they will be fixed soon, > or whether I as a packager have to make some configuration changes. > > I see two issues atm: > > 1. when I try to pull updates from pkgs.fedoraproject.org, I get an > error that host key has changed: > > =========================================================================================== > > $ git pull --rebase > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > It is also possible that a host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > <fingerprint>. > Please contact your system administrator. > Add correct host key in /home/zdohnal/.ssh/known_hosts to get rid of > this message. > Offending RSA key in /home/zdohnal/.ssh/known_hosts:2 > Host key for pkgs.fedoraproject.org has changed and you have requested > strict checking. > Host key verification failed. > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. >
First thing to do is to remove line number 2 in /home/zdohnal/.ssh/known_hosts since the key changed. Someone said to renew the "@cert-athority" lines there, which I did, but I"m still getting a warning like this on pushes: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is SHA256:dJN0nFWBcWK7SFs2k0nnsO+XNA9+aEDY4FWO7uhxTN8. Please contact your system administrator. Update the SSHFP RR in DNS with the new host key to get rid of this message. But the push works. (I use https for fetch, ssh for push.) So I guess some records still need to be updated. > =========================================================================================== > > 2. when I try to update my Fedora 42, there are many checksum mismatches: > > =========================================================================================== > > $ sudo dnf -y upgrade --refresh > ... > Fedora 42 - x86_64 - Updates 66% [============ ] | 46.5 KiB/s | > 184.2 KiB | 00m01s > Fedora 42 - x86_64 - Updates 66% [============ ] | 46.5 KiB/s | > 184.4 KiB | 00m01s > >>> Downloading successful, but checksum doesn't match. Calculated: > 98f903f88c9483cd64474dd2b1648a1e2f211321cebdd80c2f917436604acc41373fac16c2e1aa4b8d44c2b2e42c8f8c9a14cec7b2cca897f0a1e06dcabe23bb(sha512) > > 98f903f > > =========================================================================================== > > and so on, but only for Updates repo. That one never occurred for me. > I saw there is infra issue about this - > https://pagure.io/fedora-infrastructure/issue/12620 - but I would like > to consult this here beforehand, so I wouldn't spam the ticket. > > The latter problem looks like a post-move problem to me, which will get > solved outside of the machine, but the former maybe it is expected from > packagers to change? Yes, remove the mentioned line. You'll end up with a warning instead of an error. I don't remember where I got the cert-authority lines from, but either those need an update or (more likely) the SSHFP DNS records do. Michael -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
