Subject: | |
From: | |
Reply To: | |
Date: | Thu, 23 Jul 2009 19:04:57 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Connie Sieh wrote:
>> The yum-conf should have been updated automatically unless it has been
>> changed and in that case the .rpmnew was made.
Yes. This is the whole point. If you have modified the .repo files to
enable signature checking, then your .repo files will not automatically
get the path to the new key. Thus packages in the repo signed with the
new key cause updates to fail.
>> I think the way redhat did it was very confusing and would have caused
>> other problems.
Perhaps. But they did it that way so as not to cause security updates
to fail on systems where it had been working up to that point. I think
the complexity of their solution indicates that introducing a new
signing key to a live distribution is a problem with no easy solution.
>> We know this is a hard pill to swallow.
OK. I accept that and I realise that it is not something you guys did
lightly. I just wanted to point out to other SL users what some of the
consequences are. Many, especially those not on this list, will wonder
why security updates with signature checking are now failing even though
they had been working fine. Many others will not even notice.
Jon Peatfield wrote:
> Since we 'edit' all the standard .repo files to point to local mirrors
We do this also.
> it is fairly painless for us to add in any new keys as needed (and of
> course for 'our' repos we stick in our signing keys as well).
Yes we have our own repos and signing key as well. But once the
automatic updates are failing, it is too late for us to apply a fix by
updating some local custom rpm.
> If things were split into multiple repos (by key) then we would have to
> re-work all sorts of scripts and testing those would take us much more
> time and effort.
I'm not suggesting that this should be done now. I just wanted to point
out that it is a complex problem with no easy solution.
> ie of the possible choices I'd say that what Connie and Troy picked is
> the best solution (for us anyway).
I really appreciate all their effort so I don't mean to complain. For
me, the timing was bad due to a summer vacation and I didn't manage to
get out an update to a local rpm before packages signed with the new key
hit the repos.
> Of course in our setup all the relevant machines are centrally managed
> by us so we don't have to worry about user-admin'd boxes and can simply
> arrange to sync over new .repo files from our nightly hack-things-about
> scripts... :-)
We also have no problem with our centrally-managed machines but it did
require that we (and you) do something rather than nothing. For
"user-admin'd boxes" I've sent an announcement asking people to import
the new keys manually. We have a mechanism to identify PCs on our
network that are failing their nightly updates, and will contact the
owners to remind them of what they need to do.
Kel Raywood
TRIUMF
|
|
|