Connie Sieh wrote:
>> The yum-conf should have been updated automatically unless it has been 
>> changed and in that case the .rpmnew was made.

Yes.  This is the whole point.  If you have modified the .repo files to 
enable signature checking, then your .repo files will not automatically 
get the path to the new key.  Thus packages in the repo signed with the 
new key cause updates to fail.

>> I think the way redhat did it was very confusing and would have caused 
>> other problems.

Perhaps.  But they did it that way so as not to cause security updates 
to fail on systems where it had been working up to that point.  I think 
the complexity of their solution indicates that introducing a new 
signing key to a live distribution is a problem with no easy solution.

>> We know this is a hard pill to swallow.

OK.  I accept that and I realise that it is not something you guys did 
lightly.  I just wanted to point out to other SL users what some of the 
consequences are.  Many, especially those not on this list, will wonder 
why security updates with signature checking are now failing even though 
they had been working fine.  Many others will not even notice.

Jon Peatfield wrote:
> Since we 'edit' all the standard .repo files to point to local mirrors

We do this also.

> it is fairly painless for us to add in any new keys as needed (and of 
> course for 'our' repos we stick in our signing keys as well).

Yes we have our own repos and signing key as well.  But once the 
automatic updates are failing, it is too late for us to apply a fix by 
updating some local custom rpm.

> If things were split into multiple repos (by key) then we would have to 
> re-work all sorts of scripts and testing those would take us much more 
> time and effort.

I'm not suggesting that this should be done now.  I just wanted to point 
out that it is a complex problem with no easy solution.

> ie of the possible choices I'd say that what Connie and Troy picked is 
> the best solution (for us anyway).

I really appreciate all their effort so I don't mean to complain.  For 
me, the timing was bad due to a summer vacation and I didn't manage to 
get out an update to a local rpm before packages signed with the new key 
hit the repos.

> Of course in our setup all the relevant machines are centrally managed 
> by us so we don't have to worry about user-admin'd boxes and can simply 
> arrange to sync over new .repo files from our nightly hack-things-about 
> scripts... :-)

We also have no problem with our centrally-managed machines but it did 
require that we (and you) do something rather than nothing.  For 
"user-admin'd boxes" I've sent an announcement asking people to import 
the new keys manually.  We have a mechanism to identify PCs on our 
network that are failing their nightly updates, and will contact the 
owners to remind them of what they need to do.

Kel Raywood
TRIUMF