>>
>>
>
> If so, rpm should either ignore secondary key or refuse to install such
> joint at all.
>
RPM *does* ignore secondary keys.
And look carefully at this well-formed pubkey (scroll through the page)
http://keys.niif.hu/pks/lookup?op=vindex&search=0x0B7F8B60E3EDFAE3
It is not at all clear how to filter crap like this out of pubkeys and refuse to
import.
What RPM does instead is exactly what is requested: It verifies
the CRC in the armor while converting the base64, and pushes
the blob into /var/lib/rpm/Pubkeys.
WYSIWYG.
> On the PLD side - someone has to split the key on FTP (and then in
> rpm.git). Or remove it completely, as apparently noone uses sigs anyway…
>
Yes.
Glenn: and this is likely the cause for inability to verify signatures
while doing rpm —verify, so the patch that disables can likely
be removed.
73 de Jeff
_______________________________________________
pld-devel-en mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
