28246 – RFE: Add testers-list only public signing key for packages

Bug 28246 - RFE: Add testers-list only public signing key for packages

Summary: RFE: Add testers-list only public signing key for packages

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	up2date
Sub Component:
Version:	7.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Adrian Likins
QA Contact:	Aaron Brown
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-02-19 02:51 UTC by R P Herrold
Modified:	2007-04-18 16:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-02-14 14:00:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description R P Herrold 2001-02-19 02:51:34 UTC

J Katz reprised a prior discussion:

Also note that you're probably going to want to edit
/etc/sysconfig/up2date and set useGPG=0 so that you don't get asked if
you want to continue on every package due to the fact that all of the
beta packages are unsigned :(
 
This brings us back to the question of having a beta key to verify
packages... especially with up2date stuff, it would be _extremely_
helpful                                                            

--------------------------------------

Prior disclaimers apply -- it might be appropiate to add a 'rawhide' key as
well, to allow prevention of unintended installation of rawhide in a
production environment ...

Comment 1 Glen Foster 2001-02-19 20:01:15 UTC

While I like this idea for this, it's not something we'll do right away.  I'm
marking this defect as DEFERRED (but not closing it).

Comment 2 R P Herrold 2001-02-19 21:13:57 UTC

Hi, Glen,            NEEDINFO and non-DEFERRable request

The production cycle is such that in the next few weeks, physical
CD's will be released into the retail market, and the up2date keying
will likewise be pre-keyed.

Does it not make sense to generate known keys for beta and
rawhide , and _DISTRIBUTE_ these NOW, in this cycle,
and build the rest of the infrastructure later?

Comment 3 R P Herrold 2001-04-11 03:51:13 UTC

Re-open for consideration of proposed RFE in RH 7.2

Comment 4 R P Herrold 2001-10-26 00:46:59 UTC

Post release of RH 7.2 
======================
I am still interested in this -- and indeed, if every package was signed -- 
with at least ONE RH key as a matter of the SOP, if the 'released without 
signing' fiasco of  RH 7.2 gold could have been 'covered' by acknowledging the 
secondary previously 'unofficial' key.

Comment 5 Aleksey Nogin 2001-10-26 14:10:48 UTC

There needs to be something similar for rhcontrib (currently rhcontrib.bero.org)
for making sure the mirrored package is the same as the one that was compiled in
rhcontrib. But there we also need some mechanism for preserving the SRPM
signature when the uploaded SRPM was signed.

Comment 6 R P Herrold 2002-02-11 02:31:21 UTC

At relesase of first Beta for RH 8.0
====================================

Still interested -- still applicable for all the same reasons.

Comment 7 Adrian Likins 2002-03-26 22:43:16 UTC

Versions included in the skipjack beta should include a 
beta only key and up2date support for using it.

Comment 8 Jay Turner 2003-02-14 14:00:27 UTC

This has been fixed for quite some time.  Closing out.

Note You need to log in before you can comment on or make changes to this bug.