 
| Subject: | |
| From: | |
| Reply To: | Robert E. Blair |
| Date: | Thu, 23 Jul 2009 13:08:49 -0500 |
| Content-Type: | multipart/mixed |
| Parts/Attachments: |
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I see the same problem. It is a bit of a mess because I too always set
gpgcheck=1 and that means a hand edit of all the repo files to recover
since many have changed in other ways as well. It seems like asking for
trouble to set gpgcheck=0 as is the default.
Kelvin Raywood wrote:
| Now that a couple of package updates (libtiff, libtiff-devel) have been
| signed with the new SL signing key, a couple of issues have arisen that
| are causing automatic updates to fail.
|
| In SL 5.1 (and possibly SL 5.0) the release number of the sl-release
| package was not incremented and so those systems did not receive the new
| keys.
|
| [log in to unmask]> rpm -q --changelog sl-release
| * Fri May 23 2008 Troy Dawson <[log in to unmask]> - 5.1-2
| - Changed sources to be 51 instead of 5rolling
|
| ...
|
| ie, sl-release has been at at 5.1-2 since May 2008
|
| The new version of the package is the same release number and the May
| 23, 2008 entry from the changelog has disappeared.
|
| Another cause of update failures is that if the yum repo files have been
| modified (e.g. to enable signature checking), then the update to
| yum-conf added created .rpmnew files but left the modified files in
| place. This is correct behaviour but it means that the path to the new
| key is not in the .repo files and so security updates fail because the
| repository now has packages signed with the new key.
|
| For some systems it is not sufficient to just fix the .repo files. If
| they have missed the update to sl-release because they've been
| offline, or because of the release number problem above, then updates
| will continue to fail because they don't have the new key. The solutions
| on any individual system is fairly straight forward; disable signature
| checking or import the new keys manually. However at TRIUMF (and I
| suspect other institutions) there are a large number of desktop PCs
| managed by their owners; some of whom are less than diligent about
| reading email sent to root about failing yum updates.
|
| When Fedora changed their signing key last year, they created new
| repositories (i386.newkey, x86_64.newkey) and systems were updated in a
| two-step. First the yum-conf package installed new .repo files pointing
| at the new repositories. Then all new updates went to the new
| repositories. This avoided update failures because of missing keys.
|
| Do most people just leave their signature checking disabled and so don't
| have the problem or have I missed something obvious here?
|
| I'm a little surprised that this issue has not already been raised.
|
| Kel Raywood
| TRIUMF
- --
Robert E. Blair, Room C221, Building 360
Argonne National Laboratory (High Energy Physics Division)
9700 South Cass Avenue, Argonne, IL 60439, USA
Phone: (630)-252-7545 FAX: (630)-252-5782
GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFKaKcwOMIGC6x7/XQRAlFHAKDD9DAyuNHC0H+jMkk09i7wF/bDzgCeOKrP
hzO5h/5JYdHm2lPvFUDc6co=
=Uk/X
-----END PGP SIGNATURE-----
|
|
|
