LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: new signing key issues
From:	Connie Sieh <[log in to unmask]>
Reply To:	Connie Sieh <[log in to unmask]>
Date:	Thu, 23 Jul 2009 13:59:26 -0500
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (123 lines)

The yum-conf should have been updated automatically unless it has been 
changed and in that case the .rpmnew was made.

I think the way redhat did it was very confusing and would have caused 
other problems.

We know this is a hard pill to swallow.

-connie sieh

On Thu, 23 Jul 2009, Robert E. Blair wrote:

> This is a multi-part message in MIME format.
>
> --Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)
> Content-type: text/plain; charset=ISO-8859-1; format=flowed
> Content-transfer-encoding: 7BIT
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I see the same problem.  It is a bit of a mess because I too always set
> gpgcheck=1 and that means a hand edit of all the repo files to recover
> since many have changed in other ways as well.  It seems like asking for
> trouble to set gpgcheck=0 as is the default.
>
>

But if you have to fix something manually you might as well fix the 
yum.conf to include the new key.


> Kelvin Raywood wrote:
> | Now that a couple of package updates (libtiff, libtiff-devel) have been
> | signed with the new SL signing key, a couple of issues have arisen that
> | are causing automatic updates to fail.
> |
> | In SL 5.1 (and possibly SL 5.0) the release number of the sl-release
> | package was not incremented and so those systems did not receive the new
> | keys.
> |
> | [log in to unmask]> rpm -q --changelog sl-release
> | * Fri May 23 2008 Troy Dawson <[log in to unmask]> - 5.1-2
> | - Changed sources to be 51 instead of 5rolling
> |
> | ...
> |
> | ie,  sl-release has been at at 5.1-2 since May 2008
> |
> | The new version of the package is the same release number and the May
> | 23, 2008 entry from the changelog has disappeared.
> |
> | Another cause of update failures is that if the yum repo files have been
> | modified (e.g. to enable signature checking), then the update to
> | yum-conf added created .rpmnew files but left the modified files in
> | place.  This is correct behaviour but it means that the path to  the new
> | key is not in the .repo files and so security updates fail because the
> | repository now has packages signed with the new key.
> |
> | For some systems it is not sufficient to just fix the .repo files. If
> | they have missed the update to sl-release because they've been
> | offline, or because of the release number problem above, then updates
> | will continue to fail because they don't have the new key. The solutions
> | on any individual system is fairly straight forward; disable signature
> | checking or import the new keys manually. However at TRIUMF (and I
> | suspect other institutions) there are a large number of desktop PCs
> | managed by their owners; some of whom are less than diligent about
> | reading email sent to root about failing yum updates.
> |
> | When Fedora changed their signing key last year, they created new
> | repositories (i386.newkey, x86_64.newkey) and systems were updated in a
> | two-step.  First the yum-conf package installed new .repo files pointing
> | at the new repositories.  Then all new updates went to the new
> | repositories.  This avoided update failures because of missing keys.
> |
> | Do most people just leave their signature checking disabled and so don't
> | have the problem or have I missed something obvious here?
> |
> | I'm a little surprised that this issue has not already been raised.
> |
> | Kel Raywood
> | TRIUMF
>
> - --
> Robert E. Blair, Room C221, Building 360
> Argonne National Laboratory (High Energy Physics Division)
> 9700 South Cass Avenue, Argonne, IL 60439, USA
> Phone: (630)-252-7545  FAX: (630)-252-5782
> GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFKaKcwOMIGC6x7/XQRAlFHAKDD9DAyuNHC0H+jMkk09i7wF/bDzgCeOKrP
> hzO5h/5JYdHm2lPvFUDc6co=
> =Uk/X
> -----END PGP SIGNATURE-----
>
> --Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)
> Content-type: text/x-vcard; charset=utf-8; name="reb.vcf"
> Content-transfer-encoding: 7bit
> Content-disposition: attachment; filename="reb.vcf"
>
> begin:vcard
> fn:Robert Blair
> n:Blair;Robert
> org:Argonne National Laboratory;High Energy Physics Division
> adr:;;Room E277, Building 362, 9700 South Cass Avenue;Argonne;IL;60439;USA
> email;internet:[log in to unmask]
> title:Physicist
> tel;work:(630)-252-7545
> tel;fax:(630)-252-5782
> tel;home:(630)-495-3936
> note;quoted-printable:Public GnuPG key available at: http://www.hep.anl.gov/reb/key.asc=0D=0A=
>
> x-mozilla-html:FALSE
> url:http://www.hep.anl.gov/reb
> version:2.1
> end:vcard
>
>
> --Boundary_(ID_Ng1CpxxBUa+NOLBkPoAoqw)--
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV