On Wed, Sep 4, 2024 at 8:48 AM Andreas Hasenack <andr...@canonical.com> wrote: > > Hi, > > On Wed, Sep 4, 2024 at 7:27 AM Luca Boccassi <luca.bocca...@gmail.com> wrote: >> >> Hi, >> (...) >> Given all of this, the costs appear minor, especially compared to >> other updates that are part of point releases. Is there perhaps some >> angle or detail that I am missing here? I appreciate Robie > > > I think one cost that may be missing from this analysis is the burden of > responsibility in the case of revoked keys. Should a key be revoked in, say, > Fedora, Fedora users can obviously expect an expedited update to the keyring. > But will the Fedora maintainers (again, just an example, pick $distro) > remember to also propagate this update to every other non-fedora distro?
For Fedora, distribution-gpg-keys is a prerequisite for the core packager/developer workflow, and if the key were to be revoked and replaced, it gets put into that package pretty much immediately. Otherwise, people's local package builds start failing. -- Neal Gompa (FAS: ngompa) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
