On Thu, 23 Jul 2009, Kelvin Raywood wrote:
<snip>
Of course in our setup all the relevant machines are centrally managed by
us so we don't have to worry about user-admin'd boxes and can simply
arrange to sync over new .repo files from our nightly hack-things-about
scripts... :-)
We also have no problem with our centrally-managed machines but it did
require that we (and you) do something rather than nothing.
All I was saying was that putting the rpms signed with a new key into a
different repo (as you say Fedora did) would have require us (if not you)
to do more. No solution would have required _us_ to do nothing since we
don't use the standard .repo files.
For "user-admin'd boxes" I've sent an announcement asking people to
import the new keys manually. We have a mechanism to identify PCs on
our network that are failing their nightly updates, and will contact the
owners to remind them of what they need to do.
Perhaps the problem is that turning on signature checking is a fairly
common edit but still prevents the update of .repo files for people who
otherwise made no changes.
If your users' boxes also point at a repo you control then you can stick a
package in there (signed by a key they already have!) which does the new
key imports etc and tell them to install it...
