[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Proposal: Single GPG key per Fedora release (starting with 11)





On Mon, Apr 20, 2009 at 8:28 PM, Mark <markg85 gmail com> wrote:
On Tue, Apr 21, 2009 at 1:17 AM, Jesse Keating <jkeating redhat com> wrote:
> As I mentioned in an earlier thread I was interested in reducing the
> number of gpg keys down to one per release.  Currently we have two, one
> we sign development builds with during beta/preview and updates-testing,
> and then one we sign the released packages with and the stable updates
> with.  Multiple keys per release creates a lot of churn, reduces the
> number of hardlinks we can maintain, and causes a lot of delay in
> getting package sets prepped for the different releases.  As such I'm
> proposing that we reduce the keys down to one per release, used for all
> the scenarios listed, starting with Fedora 11.  There is already a
> Fedora 11 key that was used to sign beta and will be used to sign
> preview release, I would just revoke / delete the current ID which
> mentions testing and replace it with an ID of just "Fedora 11".
> fedora-release will be modified to handle this in the repo files as
> well.
>
> If there are no strong reasonable objections this will happen early this
> week in time for the Preview release.
>

Sounds like a good thing to do.

Just one other thing i notice here.
Look at what you've done here. You seggest something and are going to
implement it unless you get some feedback that lets you think. That on
it's own is no problem for me.

The problem i see is that when anyone wants to request anything to be
done in fedora they have to:
- Write a detailed page on the wiki
- Make a bugzille feature request
- wait some time till it's reviewed (can be days, weeks or even months if ever)
- let it be approved by fesco

and what else did i forget.
I have to mention with that that it's just how i see new stuff getting
in (or rejected).
No first hand experience here but only how i witness it.

So now i'm wondering.. how come that you can get something in within a
mather of hours and without explaining a lot

To be fair it's not just a couple of hours.  The idea was first mooted on 2009-01-16

http://fedoraproject.org/wiki/FWN/Issue159#New_GPG_Signing_Keys_for_Each_Release

and did not seem to stimulate much in the way of objections.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]