>
> Hi,
>
> On Wed, Sep 4, 2024 at 7:27 AM Luca Boccassi <luca.boccassi@gmail.com> wrote:
>>
>> Hi,
>> (...)
>> Given all of this, the costs appear minor, especially compared to
>> other updates that are part of point releases. Is there perhaps some
>> angle or detail that I am missing here? I appreciate Robie
>
>
> I think one cost that may be missing from this analysis is the burden of responsibility in the case of revoked keys. Should a key be revoked in, say, Fedora, Fedora users can obviously expect an expedited update to the keyring. But will the Fedora maintainers (again, just an example, pick $distro) remember to also propagate this update to every other non-fedora distro?
For Fedora, distribution-gpg-keys is a prerequisite for the core
packager/developer workflow, and if the key were to be revoked and
replaced, it gets put into that package pretty much immediately.
Otherwise, people's local package builds start failing.
--
Neal Gompa (FAS: ngompa)
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel