Tim wrote:
Bill Davidsen:Suggestion: since the livna key is still secure (AFAIK) let them distribute the new Fedora key and sign the RPM.Kevin Fenzi:That was suggested before, but it's not a great solution for several reasons: Not everyone has livna enabled. Having one repo publish keys for another seems wrong, especially when they are not officiallyconnected.I'm not sure whether *also* having the keys on other sites is so bad.
I give up, politics as usual. If a proposed solution isn't perfect it isn't good enough, so trust us.
Well said. Common sense. The political answer is "wait until new improved RPM comes out."If you take it like the GPG model - countersigning and cross-checking through other sources that you also trust. If Livna, ATRPMs, and a few other usual repos had the same Fedora public key, you'd be more confident that the key you got from what you think is a real Fedora mirror, is the right one.
-- Bill Davidsen <davidsen tmr com> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot