Enhancing cross-distro collaboration via foreign archive keyring availability
Luca Boccassi
luca.boccassi at gmail.com
Wed Sep 4 13:04:26 UTC 2024
On Wed, 4 Sept 2024 at 14:02, Neal Gompa <ngompa at fedoraproject.org> wrote:
>
> On Wed, Sep 4, 2024 at 8:48 AM Andreas Hasenack <andreas at canonical.com> wrote:
> >
> > Hi,
> >
> > On Wed, Sep 4, 2024 at 7:27 AM Luca Boccassi <luca.boccassi at gmail.com> wrote:
> >>
> >> Hi,
> >> (...)
> >> Given all of this, the costs appear minor, especially compared to
> >> other updates that are part of point releases. Is there perhaps some
> >> angle or detail that I am missing here? I appreciate Robie
> >
> >
> > I think one cost that may be missing from this analysis is the burden of responsibility in the case of revoked keys. Should a key be revoked in, say, Fedora, Fedora users can obviously expect an expedited update to the keyring. But will the Fedora maintainers (again, just an example, pick $distro) remember to also propagate this update to every other non-fedora distro?
>
> For Fedora, distribution-gpg-keys is a prerequisite for the core
> packager/developer workflow, and if the key were to be revoked and
> replaced, it gets put into that package pretty much immediately.
> Otherwise, people's local package builds start failing.
Also as noted, it's the owners that contribute to this upstream that
we are packaging, you can see for example that it was RedHat that
updated it with the new keys for Fedora 43:
https://github.com/rpm-software-management/distribution-gpg-keys/commit/1b0df99205426c334618add049f2916329250d17
I don't know if it has happened in the past, but I would imagine that
in terms of how updates are handled, a revocation wouldn't be
different from an addition - change committed upstream by the owner,
followed by a release.
More information about the ubuntu-devel
mailing list