Re: fedora-gpg-keys not updated yet again
This is the time of the year again and I must say that the situation improved. The process was: ~~~ $ sudo dnf update fedora-gpg-keys $ sudo dnf update fedora-repos --release 33 ~~~ Where for the second command, you have to confirm the GPG key import. Please note that the `--release 33` has to be specified, because while the fedora-rawhide repos points to a `rawhide` mirror: ~~~ metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide=$basearch ~~~ The GPG key refers to `$releasever` ~~~ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch ~~~ This is discussed in https://pagure.io/releng/issue/7445 AFAIK. Vít Dne 19. 08. 19 v 10:50 Zbigniew Jędrzejewski-Szmek napsal(a): > This seems to repeat every 6 months: rawhide mock is broken on stable > Fedora, people are scrambling to install the right gpg keys, dnf reports > unsigned packages. > > Looking at https://bodhi.fedoraproject.org/updates/?packages=fedora-repos, > there is still no F30 package with the right keys. > > Can we *please* send out the FN+1 and FN+2 keys a month before branching, > to *all* releases of Fedora, so we can avoid this pointless scramble? > > Zbyszek > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/24/19 4:12 AM, Dusty Mabe wrote: > > > On 8/23/19 12:21 PM, Kevin Fenzi wrote: >> On 8/23/19 4:12 AM, Dusty Mabe wrote: >>> >>> >>> On 8/22/19 12:58 PM, Kevin Fenzi wrote: On 8/21/19 9:27 AM, Dusty Mabe wrote: > > > On 8/19/19 6:59 AM, Pavel Raiskup wrote: >> On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek >> wrote: >>> Can we *please* send out the FN+1 and FN+2 keys a month before >>> branching, >>> to *all* releases of Fedora, so we can avoid this pointless scramble? >> >> What about to have F33 keys right now, when the fresh F31 branch is out? >> > > +1. Go ahead and make the f33 keys when we branch for f31. I don't see how this helps any. I agree we should push out the f33 keys before next branching, but why now? >>> >>> For me it solves any "timing" issues. We often get into a state where we're >>> trying to upgrade to something that is signed with a key we don't have yet. >> >> Yes, but it would also be solved by pushing the F33 key out a few weeks >> or a month or so before branching next time right? >> > > It depends on how often people update. If they wait a month to do an update we > still get into a situation like this where fedora-gpg-keys doesn't have the > key > but they are trying to update to a system that has content signed by it. > > Creating the key for the next next rawhide at time of branching would also > mean > that we make minimal changes to our existing SOPs. The ONLY change is that now > we're creating the key for the next next rawhide instead. Sure, I suppose. I'll see about moving that around in the SOP. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/23/19 12:21 PM, Kevin Fenzi wrote: > On 8/23/19 4:12 AM, Dusty Mabe wrote: >> >> >> On 8/22/19 12:58 PM, Kevin Fenzi wrote: >>> On 8/21/19 9:27 AM, Dusty Mabe wrote: On 8/19/19 6:59 AM, Pavel Raiskup wrote: > On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek > wrote: >> Can we *please* send out the FN+1 and FN+2 keys a month before branching, >> to *all* releases of Fedora, so we can avoid this pointless scramble? > > What about to have F33 keys right now, when the fresh F31 branch is out? > +1. Go ahead and make the f33 keys when we branch for f31. >>> >>> I don't see how this helps any. I agree we should push out the f33 keys >>> before next branching, but why now? >>> >> >> For me it solves any "timing" issues. We often get into a state where we're >> trying to upgrade to something that is signed with a key we don't have yet. > > Yes, but it would also be solved by pushing the F33 key out a few weeks > or a month or so before branching next time right? > It depends on how often people update. If they wait a month to do an update we still get into a situation like this where fedora-gpg-keys doesn't have the key but they are trying to update to a system that has content signed by it. Creating the key for the next next rawhide at time of branching would also mean that we make minimal changes to our existing SOPs. The ONLY change is that now we're creating the key for the next next rawhide instead. Dusty ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/23/19 4:12 AM, Dusty Mabe wrote: > > > On 8/22/19 12:58 PM, Kevin Fenzi wrote: >> On 8/21/19 9:27 AM, Dusty Mabe wrote: >>> >>> >>> On 8/19/19 6:59 AM, Pavel Raiskup wrote: On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek wrote: > Can we *please* send out the FN+1 and FN+2 keys a month before branching, > to *all* releases of Fedora, so we can avoid this pointless scramble? What about to have F33 keys right now, when the fresh F31 branch is out? >>> >>> +1. Go ahead and make the f33 keys when we branch for f31. >> >> I don't see how this helps any. I agree we should push out the f33 keys >> before next branching, but why now? >> > > For me it solves any "timing" issues. We often get into a state where we're > trying to upgrade to something that is signed with a key we don't have yet. Yes, but it would also be solved by pushing the F33 key out a few weeks or a month or so before branching next time right? kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/22/19 12:58 PM, Kevin Fenzi wrote: > On 8/21/19 9:27 AM, Dusty Mabe wrote: >> >> >> On 8/19/19 6:59 AM, Pavel Raiskup wrote: >>> On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek >>> wrote: Can we *please* send out the FN+1 and FN+2 keys a month before branching, to *all* releases of Fedora, so we can avoid this pointless scramble? >>> >>> What about to have F33 keys right now, when the fresh F31 branch is out? >>> >> >> +1. Go ahead and make the f33 keys when we branch for f31. > > I don't see how this helps any. I agree we should push out the f33 keys > before next branching, but why now? > For me it solves any "timing" issues. We often get into a state where we're trying to upgrade to something that is signed with a key we don't have yet. With ostree we hit this every time we branch. Here is where a user hit it this time: https://discussion.fedoraproject.org/t/unable-to-update-gpg-signatures-found-but-none-are-in-trusted-keyring/2703/3?u=dustymabe There could be other problems that won't be solved but if we get the key out now for the next release we'll at least solve any races and problems like this. Dusty ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On Fri, Aug 23, 2019 at 10:39 AM Vít Ondruch wrote: > > Dne 22. 08. 19 v 18:57 Kevin Fenzi napsal(a): > > On 8/21/19 3:24 AM, Vít Ondruch wrote: > > > That is not completely true. The only possible way is to update the > `fedora-gpg-keys` first without anything else and that was the reason > for [1]. But since [1] did not landed in Fedora prior the branch, there > is no way to update Rawhide and keep everything Rawhide and at the same > time keep checking signatures all the time. > > But you could upgrade to the f31 version and then to rawhide. > > IOW prior branch, I had installed fedora-repos-31-0.2 together with > fedora-gpg-keys-31-0.2. As long as there was no F31 compose, there was > available fedora-repos-32-0.2 together with fedora-gpg-keys-32-0.2 (or > 0.1, it does not really matter), but those were not possible to install, > because they are signed by F32 GPG key, which is not available on my > system yet. The fedora-repos-31-0.5 is the first post branch package > signed with the key on my system. This allows me to install > fedora-gpg-keys-31-0.5 but at the same time it changes the configuration > of /etc/yum.repos.d/fedora{,-rawhide}.repo making the system F31 instead > of Rawhide. And this is wrong. > > Wrong how? What do you want there? > > > My system is Rawhide and should stay Rawhide. I don't want to stay on F31 > by mistake. I don't ever wan't to install anything from stable branch. > > > Most/many people want to folow the > branch, so thats what we have always done there. > > > Some people want, but I doubt it is majority. It makes no sense to > suddenly switch from Rawhide to F31. Rawhide should be always Rawhide and > switching to stable branch should be conscious decision. > > > In any event, hopefully soon we will have rawhide named rawhide and not > 31 or 32 and with that you can indicate what you want to do much more > clearly. > > > Looking forward to this. > External testing is very welcome: https://pagure.io/releng/issue/7445 https://copr.fedorainfracloud.org/coprs/kparal/rawhide-releasever/ This will also have the effect that Rawhide installation will always stay Rawhide, and you'll need to explicitly switch to Branched, if you want to do so. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
Dne 22. 08. 19 v 18:57 Kevin Fenzi napsal(a): > On 8/21/19 3:24 AM, Vít Ondruch wrote: > >> That is not completely true. The only possible way is to update the >> `fedora-gpg-keys` first without anything else and that was the reason >> for [1]. But since [1] did not landed in Fedora prior the branch, there >> is no way to update Rawhide and keep everything Rawhide and at the same >> time keep checking signatures all the time. > But you could upgrade to the f31 version and then to rawhide. >> IOW prior branch, I had installed fedora-repos-31-0.2 together with >> fedora-gpg-keys-31-0.2. As long as there was no F31 compose, there was >> available fedora-repos-32-0.2 together with fedora-gpg-keys-32-0.2 (or >> 0.1, it does not really matter), but those were not possible to install, >> because they are signed by F32 GPG key, which is not available on my >> system yet. The fedora-repos-31-0.5 is the first post branch package >> signed with the key on my system. This allows me to install >> fedora-gpg-keys-31-0.5 but at the same time it changes the configuration >> of /etc/yum.repos.d/fedora{,-rawhide}.repo making the system F31 instead >> of Rawhide. And this is wrong. > Wrong how? What do you want there? My system is Rawhide and should stay Rawhide. I don't want to stay on F31 by mistake. I don't ever wan't to install anything from stable branch. > Most/many people want to folow the > branch, so thats what we have always done there. Some people want, but I doubt it is majority. It makes no sense to suddenly switch from Rawhide to F31. Rawhide should be always Rawhide and switching to stable branch should be conscious decision. > > In any event, hopefully soon we will have rawhide named rawhide and not > 31 or 32 and with that you can indicate what you want to do much more > clearly. Looking forward to this. > >> But it should be better next time, because [1] finally landed. It allows >> to update fedora-gpg-keys without updating fedora-repos. That means it >> should be possible to get the new Rawhide keys and then keep updating >> from Rawhide repository. > You can still update both and just change the repo configs the way you > want as well. I could do a lot of things, but ideally I should do nothing else then "dnf update", because I am using Rawhide. Vít > > kevin > > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/21/19 9:27 AM, Dusty Mabe wrote: > > > On 8/19/19 6:59 AM, Pavel Raiskup wrote: >> On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek >> wrote: >>> Can we *please* send out the FN+1 and FN+2 keys a month before branching, >>> to *all* releases of Fedora, so we can avoid this pointless scramble? >> >> What about to have F33 keys right now, when the fresh F31 branch is out? >> > > +1. Go ahead and make the f33 keys when we branch for f31. I don't see how this helps any. I agree we should push out the f33 keys before next branching, but why now? kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/21/19 3:24 AM, Vít Ondruch wrote: > That is not completely true. The only possible way is to update the > `fedora-gpg-keys` first without anything else and that was the reason > for [1]. But since [1] did not landed in Fedora prior the branch, there > is no way to update Rawhide and keep everything Rawhide and at the same > time keep checking signatures all the time. But you could upgrade to the f31 version and then to rawhide. > > IOW prior branch, I had installed fedora-repos-31-0.2 together with > fedora-gpg-keys-31-0.2. As long as there was no F31 compose, there was > available fedora-repos-32-0.2 together with fedora-gpg-keys-32-0.2 (or > 0.1, it does not really matter), but those were not possible to install, > because they are signed by F32 GPG key, which is not available on my > system yet. The fedora-repos-31-0.5 is the first post branch package > signed with the key on my system. This allows me to install > fedora-gpg-keys-31-0.5 but at the same time it changes the configuration > of /etc/yum.repos.d/fedora{,-rawhide}.repo making the system F31 instead > of Rawhide. And this is wrong. Wrong how? What do you want there? Most/many people want to folow the branch, so thats what we have always done there. In any event, hopefully soon we will have rawhide named rawhide and not 31 or 32 and with that you can indicate what you want to do much more clearly. > > But it should be better next time, because [1] finally landed. It allows > to update fedora-gpg-keys without updating fedora-repos. That means it > should be possible to get the new Rawhide keys and then keep updating > from Rawhide repository. You can still update both and just change the repo configs the way you want as well. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/21/19 2:50 AM, Petr Mensik wrote: > > I think f32 key should NOT be used until this is fully separated and > compose for older versions exist. Unless that key was leaked somehow, > there is no hurry, right? That hurry makes pain to many people without > justification for it, > I think. Well, sure, I suggested we might want to 'pause' rawhide composes until we have a branched next time, but that isn't great either because it means people wanting to work on rawhide also have to wait for it. > > There would always be mass rebuild in later stage of F32, no need to > switch key immediately. I think new key should not be enabled for > signing in new Rawhide until all supported versions have that key in > stable updates repo. That is not yet true now. Sure, and we could push the new fedora-repos update sooner. I don't disagree. > > I am thinking, is there written guidance how to switch signing key on a > branch? Are we prepared for emergency in case that key was leaked? We had to do this in fedora 9(?). Basically a new key was issued and everything was resigned with that key and the repo was fedora9-newkey. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/19/19 6:59 AM, Pavel Raiskup wrote: > On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek wrote: >> Can we *please* send out the FN+1 and FN+2 keys a month before branching, >> to *all* releases of Fedora, so we can avoid this pointless scramble? > > What about to have F33 keys right now, when the fresh F31 branch is out? > +1. Go ahead and make the f33 keys when we branch for f31. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
Dne 20. 08. 19 v 18:40 Kevin Fenzi napsal(a): > On 8/20/19 7:37 AM, Petr Mensik wrote: >> Hi! >> >> I could not find a safe way to upgrade also this time. I found update >> F32 [1], but not corresponding F31 just adding new key. I am missing >> update similar to [2], just for F31 that once was Rawhide. It should be >> version 31-0.5 >> >> I found and reopened one old bug [3]. I do not think this is just second >> time. > Yes, it is that version, but there is not any compose that it exists in > yet. > >> On 8/19/19 11:32 PM, Kevin Fenzi wrote: >>> So, a few things to note: >>> >>> * fedora-repos was updated for rawhide, however, unfortunately, It had >>> two extra spaces on the first line... " " which made gpg consider it >>> invalid. This is likely the cause of any breakage with rawhide (mock, >>> containers, copr, etc). This has been fixed in the newest fedora-repos >>> package for f32/rawhide. >>> >>> * There is no f31 repo because we have not yet had a fedora 31 branched >>> compose finish. So, mirrormanager is pointing people to rawhide. This is >>> likely the cause of all problems related to f31. >> I think this is a major point. I could not find update with >> fedora-repos-31-0.5 signed. Instead, there is 32-0.1 served both by f31 >> updates and rawhide repo. I think there must be first updated GPG keys >> N, which increases just minor version, not a major one. Major version >> should be increased only after branching. Unless I am mistaken, rawhide >> served me 32-0.1 signed by key contained inside. Okay, I had rawhide >> repo enabled. But even >> $ dnf --repo=updates --releasever=31 upgrade fedora-gpg-keys >> did not offer different version. What was worse, both were signed by the >> same F32 key. > yes, because both f31 and f32 are currently pointing to f32 (rawhide). > > If we had a f31 compose you would not have hit this. You would update to > the new f31 version and from there you could upgrade to f32 or stay on f31. That is not completely true. The only possible way is to update the `fedora-gpg-keys` first without anything else and that was the reason for [1]. But since [1] did not landed in Fedora prior the branch, there is no way to update Rawhide and keep everything Rawhide and at the same time keep checking signatures all the time. IOW prior branch, I had installed fedora-repos-31-0.2 together with fedora-gpg-keys-31-0.2. As long as there was no F31 compose, there was available fedora-repos-32-0.2 together with fedora-gpg-keys-32-0.2 (or 0.1, it does not really matter), but those were not possible to install, because they are signed by F32 GPG key, which is not available on my system yet. The fedora-repos-31-0.5 is the first post branch package signed with the key on my system. This allows me to install fedora-gpg-keys-31-0.5 but at the same time it changes the configuration of /etc/yum.repos.d/fedora{,-rawhide}.repo making the system F31 instead of Rawhide. And this is wrong. But it should be better next time, because [1] finally landed. It allows to update fedora-gpg-keys without updating fedora-repos. That means it should be possible to get the new Rawhide keys and then keep updating from Rawhide repository. Vít [1] https://src.fedoraproject.org/rpms/fedora-repos/c/7fe18642e83021bdb27698512d2401ba54a6e9ac?branch=master > > kevin > > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
More below. On 8/20/19 6:40 PM, Kevin Fenzi wrote: > On 8/20/19 7:37 AM, Petr Mensik wrote: >> Hi! >> >> I could not find a safe way to upgrade also this time. I found update >> F32 [1], but not corresponding F31 just adding new key. I am missing >> update similar to [2], just for F31 that once was Rawhide. It should be >> version 31-0.5 >> >> I found and reopened one old bug [3]. I do not think this is just second >> time. > > Yes, it is that version, but there is not any compose that it exists in > yet. > >> On 8/19/19 11:32 PM, Kevin Fenzi wrote: >>> So, a few things to note: >>> >>> * fedora-repos was updated for rawhide, however, unfortunately, It had >>> two extra spaces on the first line... " " which made gpg consider it >>> invalid. This is likely the cause of any breakage with rawhide (mock, >>> containers, copr, etc). This has been fixed in the newest fedora-repos >>> package for f32/rawhide. >>> >>> * There is no f31 repo because we have not yet had a fedora 31 branched >>> compose finish. So, mirrormanager is pointing people to rawhide. This is >>> likely the cause of all problems related to f31. >> I think this is a major point. I could not find update with >> fedora-repos-31-0.5 signed. Instead, there is 32-0.1 served both by f31 >> updates and rawhide repo. I think there must be first updated GPG keys >> N, which increases just minor version, not a major one. Major version >> should be increased only after branching. Unless I am mistaken, rawhide >> served me 32-0.1 signed by key contained inside. Okay, I had rawhide >> repo enabled. But even >> $ dnf --repo=updates --releasever=31 upgrade fedora-gpg-keys >> did not offer different version. What was worse, both were signed by the >> same F32 key. > > yes, because both f31 and f32 are currently pointing to f32 (rawhide). > > If we had a f31 compose you would not have hit this. You would update to > the new f31 version and from there you could upgrade to f32 or stay on f31. > > kevin > I think f32 key should NOT be used until this is fully separated and compose for older versions exist. Unless that key was leaked somehow, there is no hurry, right? That hurry makes pain to many people without justification for it, I think. There would always be mass rebuild in later stage of F32, no need to switch key immediately. I think new key should not be enabled for signing in new Rawhide until all supported versions have that key in stable updates repo. That is not yet true now. I am thinking, is there written guidance how to switch signing key on a branch? Are we prepared for emergency in case that key was leaked? -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/20/19 7:37 AM, Petr Mensik wrote: > Hi! > > I could not find a safe way to upgrade also this time. I found update > F32 [1], but not corresponding F31 just adding new key. I am missing > update similar to [2], just for F31 that once was Rawhide. It should be > version 31-0.5 > > I found and reopened one old bug [3]. I do not think this is just second > time. Yes, it is that version, but there is not any compose that it exists in yet. > On 8/19/19 11:32 PM, Kevin Fenzi wrote: >> So, a few things to note: >> >> * fedora-repos was updated for rawhide, however, unfortunately, It had >> two extra spaces on the first line... " " which made gpg consider it >> invalid. This is likely the cause of any breakage with rawhide (mock, >> containers, copr, etc). This has been fixed in the newest fedora-repos >> package for f32/rawhide. >> >> * There is no f31 repo because we have not yet had a fedora 31 branched >> compose finish. So, mirrormanager is pointing people to rawhide. This is >> likely the cause of all problems related to f31. > I think this is a major point. I could not find update with > fedora-repos-31-0.5 signed. Instead, there is 32-0.1 served both by f31 > updates and rawhide repo. I think there must be first updated GPG keys > N, which increases just minor version, not a major one. Major version > should be increased only after branching. Unless I am mistaken, rawhide > served me 32-0.1 signed by key contained inside. Okay, I had rawhide > repo enabled. But even > $ dnf --repo=updates --releasever=31 upgrade fedora-gpg-keys > did not offer different version. What was worse, both were signed by the > same F32 key. yes, because both f31 and f32 are currently pointing to f32 (rawhide). If we had a f31 compose you would not have hit this. You would update to the new f31 version and from there you could upgrade to f32 or stay on f31. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
Hi! I could not find a safe way to upgrade also this time. I found update F32 [1], but not corresponding F31 just adding new key. I am missing update similar to [2], just for F31 that once was Rawhide. It should be version 31-0.5 I found and reopened one old bug [3]. I do not think this is just second time. On 8/19/19 11:32 PM, Kevin Fenzi wrote: > So, a few things to note: > > * fedora-repos was updated for rawhide, however, unfortunately, It had > two extra spaces on the first line... " " which made gpg consider it > invalid. This is likely the cause of any breakage with rawhide (mock, > containers, copr, etc). This has been fixed in the newest fedora-repos > package for f32/rawhide. > > * There is no f31 repo because we have not yet had a fedora 31 branched > compose finish. So, mirrormanager is pointing people to rawhide. This is > likely the cause of all problems related to f31. I think this is a major point. I could not find update with fedora-repos-31-0.5 signed. Instead, there is 32-0.1 served both by f31 updates and rawhide repo. I think there must be first updated GPG keys N, which increases just minor version, not a major one. Major version should be increased only after branching. Unless I am mistaken, rawhide served me 32-0.1 signed by key contained inside. Okay, I had rawhide repo enabled. But even $ dnf --repo=updates --releasever=31 upgrade fedora-gpg-keys did not offer different version. What was worse, both were signed by the same F32 key. > > * Finally, updates are queued for f29/30/31 to add the f32 key. This > shouldn't really be that big a deal unless you are running one of those > and want to update to rawhide, or is there other cases here? > > I think the first 2 items are the ones causing problems, and the third > is not so urgent as them. Sure, we can add it to the schedule and do it > in advance, but the other things are the things to really avoid next time. > > kevin > > > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > 1. https://bodhi.fedoraproject.org/updates/FEDORA-2019-12c2cfd23a 2. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ac161b9d7 3. https://bugzilla.redhat.com/show_bug.cgi?id=1489628 -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
Same issue + bonus... Is necessary to define, F32 packages are mixed with F31 packages, comes broken packages... https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/THLVN2ZPY4XTCTV4CGLIDY6GO2E3YTNP/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/19/19 3:23 PM, Peter Robinson wrote: > On Mon, Aug 19, 2019 at 10:48 PM Kevin Fenzi wrote: >> >> So, a few things to note: >> >> * fedora-repos was updated for rawhide, however, unfortunately, It had >> two extra spaces on the first line... " " which made gpg consider it >> invalid. This is likely the cause of any breakage with rawhide (mock, >> containers, copr, etc). This has been fixed in the newest fedora-repos >> package for f32/rawhide. >> >> * There is no f31 repo because we have not yet had a fedora 31 branched >> compose finish. So, mirrormanager is pointing people to rawhide. This is >> likely the cause of all problems related to f31. >> >> * Finally, updates are queued for f29/30/31 to add the f32 key. This >> shouldn't really be that big a deal unless you are running one of those >> and want to update to rawhide, or is there other cases here? > > For local mock builds. But mock gets that from distribution-gpg-keys, which is maintained by mock folks. fedora-repos doesn't matter there as far as I know? I do see it has the broken f32 key. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1743422 to get that fixed. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On Mon, Aug 19, 2019 at 10:48 PM Kevin Fenzi wrote: > > So, a few things to note: > > * fedora-repos was updated for rawhide, however, unfortunately, It had > two extra spaces on the first line... " " which made gpg consider it > invalid. This is likely the cause of any breakage with rawhide (mock, > containers, copr, etc). This has been fixed in the newest fedora-repos > package for f32/rawhide. > > * There is no f31 repo because we have not yet had a fedora 31 branched > compose finish. So, mirrormanager is pointing people to rawhide. This is > likely the cause of all problems related to f31. > > * Finally, updates are queued for f29/30/31 to add the f32 key. This > shouldn't really be that big a deal unless you are running one of those > and want to update to rawhide, or is there other cases here? For local mock builds. > I think the first 2 items are the ones causing problems, and the third > is not so urgent as them. Sure, we can add it to the schedule and do it > in advance, but the other things are the things to really avoid next time. > > kevin > > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On Mon, 2019-08-19 at 14:32 -0700, Kevin Fenzi wrote: > So, a few things to note: > > * fedora-repos was updated for rawhide, however, unfortunately, It had > two extra spaces on the first line... " " which made gpg consider it > invalid. This is likely the cause of any breakage with rawhide (mock, > containers, copr, etc). This has been fixed in the newest fedora-repos > package for f32/rawhide. > > * There is no f31 repo because we have not yet had a fedora 31 branched > compose finish. So, mirrormanager is pointing people to rawhide. This is > likely the cause of all problems related to f31. A potential 'solution' for this is to stop Rawhide composes at the branch point until a successful Branched compose has run. Not sure if that's too big a hammer for the walnut, though. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
So, a few things to note: * fedora-repos was updated for rawhide, however, unfortunately, It had two extra spaces on the first line... " " which made gpg consider it invalid. This is likely the cause of any breakage with rawhide (mock, containers, copr, etc). This has been fixed in the newest fedora-repos package for f32/rawhide. * There is no f31 repo because we have not yet had a fedora 31 branched compose finish. So, mirrormanager is pointing people to rawhide. This is likely the cause of all problems related to f31. * Finally, updates are queued for f29/30/31 to add the f32 key. This shouldn't really be that big a deal unless you are running one of those and want to update to rawhide, or is there other cases here? I think the first 2 items are the ones causing problems, and the third is not so urgent as them. Sure, we can add it to the schedule and do it in advance, but the other things are the things to really avoid next time. kevin signature.asc Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/19/19 1:50 AM, Zbigniew Jędrzejewski-Szmek wrote: This seems to repeat every 6 months: rawhide mock is broken on stable Fedora The fedora:rawhide containers are currently broken as well: $ podman run -it registry.fedoraproject.org/fedora:rawhide ... # dnf install deltarpm ... The GPG keys listed for the "Fedora - Rawhide - Developmental packages for the next Fedora release" repository are already installed but they are not correct for this package I know where to find the release schedules (e.g. https://fedorapeople.org/groups/schedule/f-32/f-32-releng-tasks.html), but those don't say much about Rawhide. Where are the schedules for Rawhide management? Do they currently include recomposing and publishing new container images when the keys are updated? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On Mon, Aug 19, 2019 at 01:03:05PM +0200, Miroslav Suchý wrote: > Dne 19. 08. 19 v 10:50 Zbigniew Jędrzejewski-Szmek napsal(a): > > This seems to repeat every 6 months: rawhide mock is broken on stable > > Fedora, people are scrambling to install the right gpg keys, dnf reports > > unsigned packages. > > Not actually true. We did not used to have signed rawhide in past. So this > happened for ?second? time? > > Otherwise +1. It would be nice to put this point into schedule and have it > there sooner than branching. OK, we have a ticket open for F32 schedule already, so let's piggy-back on it: https://pagure.io/fesco/issue/2211#comment-590783 Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
Dne 19. 08. 19 v 10:50 Zbigniew Jędrzejewski-Szmek napsal(a): > This seems to repeat every 6 months: rawhide mock is broken on stable > Fedora, people are scrambling to install the right gpg keys, dnf reports > unsigned packages. Not actually true. We did not used to have signed rawhide in past. So this happened for ?second? time? Otherwise +1. It would be nice to put this point into schedule and have it there sooner than branching. -- Miroslav Suchy, RHCA Red Hat, Associate Manager ABRT/Copr, #brno, #fedora-buildsys ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On Monday, August 19, 2019 10:50:52 AM CEST Zbigniew Jędrzejewski-Szmek wrote: > Can we *please* send out the FN+1 and FN+2 keys a month before branching, > to *all* releases of Fedora, so we can avoid this pointless scramble? What about to have F33 keys right now, when the fresh F31 branch is out? Pavel ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
I think that the latest fedora-repos packages are broken (except Rawhide), because they does not ship with F32 keys. Filled fedora-release and releng tickets: https://bugzilla.redhat.com/show_bug.cgi?id=1743196 https://pagure.io/releng/issue/8652 Vít Dne 19. 08. 19 v 10:50 Zbigniew Jędrzejewski-Szmek napsal(a): > This seems to repeat every 6 months: rawhide mock is broken on stable > Fedora, people are scrambling to install the right gpg keys, dnf reports > unsigned packages. > > Looking at https://bodhi.fedoraproject.org/updates/?packages=fedora-repos, > there is still no F30 package with the right keys. > > Can we *please* send out the FN+1 and FN+2 keys a month before branching, > to *all* releases of Fedora, so we can avoid this pointless scramble? > > Zbyszek > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On 8/19/19 10:50 AM, Zbigniew Jędrzejewski-Szmek wrote: This seems to repeat every 6 months: rawhide mock is broken on stable Fedora, people are scrambling to install the right gpg keys, dnf reports unsigned packages. The same applies to f31. The f31 repos are not in place, the mock-configs for f31 not place in f30/f29 (Mock building for rawhide produces fc32 rpm ...) The usual chaos, as it has been many times before, in phases like these. Ralf ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: fedora-gpg-keys not updated yet again
On ma, 19 elo 2019, Zbigniew Jędrzejewski-Szmek wrote: This seems to repeat every 6 months: rawhide mock is broken on stable Fedora, people are scrambling to install the right gpg keys, dnf reports unsigned packages. Looking at https://bodhi.fedoraproject.org/updates/?packages=fedora-repos, there is still no F30 package with the right keys. Can we *please* send out the FN+1 and FN+2 keys a month before branching, to *all* releases of Fedora, so we can avoid this pointless scramble? +1. Right now COPR is broken completely with regards to rawhide. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
fedora-gpg-keys not updated yet again
This seems to repeat every 6 months: rawhide mock is broken on stable Fedora, people are scrambling to install the right gpg keys, dnf reports unsigned packages. Looking at https://bodhi.fedoraproject.org/updates/?packages=fedora-repos, there is still no F30 package with the right keys. Can we *please* send out the FN+1 and FN+2 keys a month before branching, to *all* releases of Fedora, so we can avoid this pointless scramble? Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org