>
> On Wed, Sep 4, 2024 at 8:48 AM Andreas Hasenack <andreas@canonical.com> wrote:
> >
> > Hi,
> >
> > On Wed, Sep 4, 2024 at 7:27 AM Luca Boccassi <luca.boccassi@gmail.com> wrote:
> >>
> >> Hi,
> >> (...)
> >> Given all of this, the costs appear minor, especially compared to
> >> other updates that are part of point releases. Is there perhaps some
> >> angle or detail that I am missing here? I appreciate Robie
> >
> >
> > I think one cost that may be missing from this analysis is the burden of responsibility in the case of revoked keys. Should a key be revoked in, say, Fedora, Fedora users can obviously expect an expedited update to the keyring. But will the Fedora maintainers (again, just an example, pick $distro) remember to also propagate this update to every other non-fedora distro?
>
> For Fedora, distribution-gpg-keys is a prerequisite for the core
> packager/developer workflow, and if the key were to be revoked and
> replaced, it gets put into that package pretty much immediately.
> Otherwise, people's local package builds start failing.
Also as noted, it's the owners that contribute to this upstream that
we are packaging, you can see for example that it was RedHat that
updated it with the new keys for Fedora 43:
I don't know if it has happened in the past, but I would imagine that
in terms of how updates are handled, a revocation wouldn't be
different from an addition - change committed upstream by the owner,
followed by a release.
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel