Proposal: Single GPG key per Fedora release (starting with 11)

Josh Boyer jwboyer at gmail.com
Tue Apr 21 00:01:00 UTC 2009


On Mon, Apr 20, 2009 at 7:17 PM, Jesse Keating <jkeating at redhat.com> wrote:
> As I mentioned in an earlier thread I was interested in reducing the
> number of gpg keys down to one per release.  Currently we have two, one
> we sign development builds with during beta/preview and updates-testing,
> and then one we sign the released packages with and the stable updates
> with.  Multiple keys per release creates a lot of churn, reduces the
> number of hardlinks we can maintain, and causes a lot of delay in
> getting package sets prepped for the different releases.  As such I'm
> proposing that we reduce the keys down to one per release, used for all
> the scenarios listed, starting with Fedora 11.  There is already a
> Fedora 11 key that was used to sign beta and will be used to sign
> preview release, I would just revoke / delete the current ID which
> mentions testing and replace it with an ID of just "Fedora 11".
> fedora-release will be modified to handle this in the repo files as
> well.
>
> If there are no strong reasonable objections this will happen early this
> week in time for the Preview release.

I'm good with this overall.  In terms of updates signing, this should
make things go more quickly as well assuming most people go the
updates-testing -> updates route as packages should not need to be
re-signed.

josh




More information about the fedora-devel-list mailing list