yum GPG verify and package sigs...
Chris Ricker
kaboom at oobleck.net
Sat Jul 23 15:43:32 UTC 2005
On Sat, 23 Jul 2005, Warren Togami wrote:
> I just noticed that using yum's default FC4 configuration, it is seemingly
> impossible to install packages like docbook-utils which is signed by a
> different GPG key than the default specified to that repository in
> /etc/yum.repos.d/fedora.repo. I suppose this is partially my fault because
> I'm the last person to touch that repo file, but it is strange to me that I
> never noticed this problem until now.
>
> I *like* that yum enforces this strictly, but are there any good reasons why
> we should allow packages in a repo to be signed by two or more valid keys
> rather than a single key?
>
> Did we screw up by not resigning everything in base before pushing FC4, or is
> this really a yum config problem?
>
> Any ideas how we should fix this now? Should we resign the entire repo and
> push that to mirrors?
Either:
* Don't do that again (not resign everything) next time
* list multiple keys now that yum supports
See also a whole slew of bugs in Bugzilla (160898, 161786, 162302, 162301,
160436, etc) caused by this
later,
chris
More information about the Fedora-maintainers
mailing list