Created attachment 1017271 [details] Part of '/var/log/fedup.log' Description of problem: I was following Test_Day:2015-04-21_FedUp. I tried to upgrade a freshly installed Fedora 20 (spin Mate) to Fedora22 on a KVM guest and received the error shown in the traceback. After importing the appropriate key from fedoraproject.org, the upgrade works as expected. Version-Release number of selected component (if applicable): fedup-0.9.2-1.fc20.noarch.rpm How reproducible: Always Steps to Reproduce: 1. Do a regular 'yum update', in order to sync the system with the newest packages. 2. Reboot in order to use the newest kernel (if present) 3. Upgrade with fedup --network 22 --product=non-product --instrepo https://dl.fedoraproject.org/pub/alt/stage/22_Beta_RC3/Server/x86_64/os Actual results: 1. fedup doesn't automatically import the appropriate gpg key and fails. Expected results: 1. fedup should (in my opinion) download and import the gpg key without needing user's interaction. Additional info: I'm attaching debugging information present inside fedup.log.
Normally, fedup *does* import the appropriate GPG key. Your system is missing the key: [ 1746.994] (II) fedup:message() Downloading failed: Recupero chiave GPG fallito: [Errno 14] curl#37 - "Couldn't open file /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-x86_64" My F21 systems have that key available: [wwoods@f21test ~]$ rpm -qf /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-22-x86_64 fedora-repos-21-2.noarch Maybe you're missing that package somehow? Do you have fedora-repos-21 installed?
Oh wait, my mistake - I missed that you're using Fedora 20! Since the Fedora 20 package(s) don't include the Fedora 22 key(s), so there's no easy way for you to do this. You *could* upgrade to F21 first, then go to F22. You could also try installing the f21 fedora-repos package manually first. If we supported upgrades that skipped a release, the correct solution would be for the release team to provide an update for F20 that includes the F22 keys. But I don't think we support this, officially, which is why your system doesn't have the needed key file.
Will, do you confirm that the upgrade from Fedora 20 to Fedora 22 isn't officially supported? If you confirm that, I'll inform the other folks in QA. The test day mentioned this upgrade, so we need to clarify this thing and improve the case. Anyway, as I said before, after importing the right gpg key, fedup actually does the upgrade.
My understanding has always been that we don't *block releases* on N-2 upgrades, but we do 'support' them so far as we'll try and make them work if possible. I'm not sure we've completely explicitly written it down anywhere, but at least the "N is supported until 1 month after N+2 goes stable" policy was explicitly designed to allow you to skip one release when upgrading, for e.g.
We don't have N-2 upgrading in our release criteria [1], but I believe the common understanding is that it should work. Even some high profile Fedora articles, which I see from time to time, recommend to upgrade once a year, if upgrading twice a year is too fast for you. So, maybe this could be a good FESCo topic. I don't think we have a clear policy on this written anywhere. Our docs don't seem to mention it either [2] [3]. We should publicly either support it and block on it, or discourage it. Will, before this is clear (or even when it is), do you think the fedup messaging could improve a bit? I.e. warn the users if they try to skip releases during upgrade (say something like that it is not that safe and the recommended way is to go one by one release) and make them confirm their choice? As for the GPG keys, how did it work in the past? I'm quite sure we tested N+2 upgrading occasionally in the past and I don't remember this gpg key error. What has changed? Is my memory misleading me? Maybe gpg checking used to be not enforced in the past? Would it be possible for fedup to traverse all releases in the upgrade chain and retrieve the gpg key for for N+1 release for each of them? That way we could attempt to make even N+3 (or more) upgrading work. Or, in case you don't decide to do this, fedup should probably say outright that this won't work unless --nogpgcheck option is used. That might save users a lot of searching and troubles. Reopening this bug for discussion. [1] https://fedoraproject.org/wiki/Fedora_22_Beta_Release_Criteria#Upgrade_requirements [2] https://fedoraproject.org/wiki/Upgrading [3] https://fedoraproject.org/wiki/FedUp
(In reply to Kamil Páral from comment #5) > We don't have N-2 upgrading in our release criteria [1], but I believe the > common understanding is that it should work. Even some high profile Fedora > articles, which I see from time to time, recommend to upgrade once a year, > if upgrading twice a year is too fast for you. > > So, maybe this could be a good FESCo topic. I don't think we have a clear > policy on this written anywhere. Our docs don't seem to mention it either > [2] [3]. We should publicly either support it and block on it, or discourage > it. Feel free to take that to meetings, if you like. But that's a matter of policy, not code. > Will, before this is clear (or even when it is), do you think the fedup > messaging could improve a bit? I.e. warn the users if they try to skip > releases during upgrade (say something like that it is not that safe and the > recommended way is to go one by one release) and make them confirm their > choice? Again, that's a matter of policy, not code. The fedup tool is really just there to download packages and run the upgrade. Policy about what is (or isn't) supported is up to FESCo. > As for the GPG keys, how did it work in the past? I'm quite sure we tested > N+2 upgrading occasionally in the past and I don't remember this gpg key > error. What has changed? Is my memory misleading me? Maybe gpg checking used > to be not enforced in the past? This happened with F19. As I said in comment #2, it was fixed by pushing out updated fedora-release packages that contain the F21 keys. See the changelog for fedora-release-19-6: http://koji.fedoraproject.org/koji/buildinfo?buildID=485652 > Would it be possible for fedup to traverse all releases in the upgrade chain > and retrieve the gpg key for for N+1 release for each of them? That way we > could attempt to make even N+3 (or more) upgrading work. Or, in case you > don't decide to do this, fedup should probably say outright that this won't > work unless --nogpgcheck option is used. That might save users a lot of > searching and troubles. Reopening this bug for discussion. The current policy is: the keys needed to perform the upgrade get shipped in the fedora-release package for your release. If you want this to work with the current policy, open a bug against fedora-release-20, because the F22 keys aren't in it. If we're going to change the policy, a much smarter thing to do would be to use GPG the way it was intended, and establish trust by using the old keys to sign the new keys. Then fedup doesn't need to fetch metadata for four different releases searching for the correct key; if upgrades are allowed, the new key will have a signature from your current key. But as it stands, this is not a defect in fedup, so there's nothing I can fix here. Also, bugzilla isn't really the place for policy discussions; please don't reopen this unless there's an actual bug in fedup's key handling.
I have reported bug 1220358 against fedora-release and asked to include F22 keys in F20.