Enhancing cross-distro collaboration via foreign archive keyring availability

Neal Gompa ngompa at fedoraproject.org
Wed Sep 4 13:02:05 UTC 2024


On Wed, Sep 4, 2024 at 8:48 AM Andreas Hasenack <andreas at canonical.com> wrote:
>
> Hi,
>
> On Wed, Sep 4, 2024 at 7:27 AM Luca Boccassi <luca.boccassi at gmail.com> wrote:
>>
>> Hi,
>> (...)
>> Given all of this, the costs appear minor, especially compared to
>> other updates that are part of point releases. Is there perhaps some
>> angle or detail that I am missing here? I appreciate Robie
>
>
> I think one cost that may be missing from this analysis is the burden of responsibility in the case of revoked keys. Should a key be revoked in, say, Fedora, Fedora users can obviously expect an expedited update to the keyring. But will the Fedora maintainers (again, just an example, pick $distro) remember to also propagate this update to every other non-fedora distro?

For Fedora, distribution-gpg-keys is a prerequisite for the core
packager/developer workflow, and if the key were to be revoked and
replaced, it gets put into that package pretty much immediately.
Otherwise, people's local package builds start failing.



-- 
Neal Gompa (FAS: ngompa)



More information about the ubuntu-devel mailing list