SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: new signing key issues
From:
Jon Peatfield <[log in to unmask]>
Reply To:
Jon Peatfield <[log in to unmask]>
Date:
Fri, 24 Jul 2009 20:04:25 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (29 lines) 
On Thu, 23 Jul 2009, Kelvin Raywood wrote:

<snip>
>>  Of course in our setup all the relevant machines are centrally managed by
>>  us so we don't have to worry about user-admin'd boxes and can simply
>>  arrange to sync over new .repo files from our nightly hack-things-about
>>  scripts... :-)
>
> We also have no problem with our centrally-managed machines but it did 
> require that we (and you) do something rather than nothing.

All I was saying was that putting the rpms signed with a new key into a 
different repo (as you say Fedora did) would have require us (if not you) 
to do more.  No solution would have required _us_ to do nothing since we 
don't use the standard .repo files.

> For "user-admin'd boxes" I've sent an announcement asking people to 
> import the new keys manually.  We have a mechanism to identify PCs on 
> our network that are failing their nightly updates, and will contact the 
> owners to remind them of what they need to do.

Perhaps the problem is that turning on signature checking is a fairly 
common edit but still prevents the update of .repo files for people who 
otherwise made no changes.

If your users' boxes also point at a repo you control then you can stick a 
package in there (signed by a key they already have!) which does the new 
key imports etc and tell them to install it...

ATOM RSS1 RSS2