Proposal: Single GPG key per Fedora release (starting with 11)
Oisin Feeley
oisin.feeley at gmail.com
Tue Apr 21 01:15:50 UTC 2009
On Mon, Apr 20, 2009 at 8:28 PM, Mark <markg85 at gmail.com> wrote:
> On Tue, Apr 21, 2009 at 1:17 AM, Jesse Keating <jkeating at redhat.com>
> wrote:
> > As I mentioned in an earlier thread I was interested in reducing the
> > number of gpg keys down to one per release. Currently we have two, one
> > we sign development builds with during beta/preview and updates-testing,
> > and then one we sign the released packages with and the stable updates
> > with. Multiple keys per release creates a lot of churn, reduces the
> > number of hardlinks we can maintain, and causes a lot of delay in
> > getting package sets prepped for the different releases. As such I'm
> > proposing that we reduce the keys down to one per release, used for all
> > the scenarios listed, starting with Fedora 11. There is already a
> > Fedora 11 key that was used to sign beta and will be used to sign
> > preview release, I would just revoke / delete the current ID which
> > mentions testing and replace it with an ID of just "Fedora 11".
> > fedora-release will be modified to handle this in the repo files as
> > well.
> >
> > If there are no strong reasonable objections this will happen early this
> > week in time for the Preview release.
> >
>
> Sounds like a good thing to do.
>
> Just one other thing i notice here.
> Look at what you've done here. You seggest something and are going to
> implement it unless you get some feedback that lets you think. That on
> it's own is no problem for me.
>
> The problem i see is that when anyone wants to request anything to be
> done in fedora they have to:
> - Write a detailed page on the wiki
> - Make a bugzille feature request
> - wait some time till it's reviewed (can be days, weeks or even months if
> ever)
> - let it be approved by fesco
>
> and what else did i forget.
> I have to mention with that that it's just how i see new stuff getting
> in (or rejected).
> No first hand experience here but only how i witness it.
>
> So now i'm wondering.. how come that you can get something in within a
> mather of hours and without explaining a lot
To be fair it's not just a couple of hours. The idea was first mooted on
2009-01-16
http://fedoraproject.org/wiki/FWN/Issue159#New_GPG_Signing_Keys_for_Each_Release
and did not seem to stimulate much in the way of objections.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090420/2e942bb6/attachment.htm>
More information about the fedora-devel-list
mailing list