Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)

Related discussion of this over here https://github.com/ostreedev/ostree/pull/2260 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-872509233___

Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)

Revocation checking requires a proper keystore, which RPM does not have. Expiration checking “merely” requires checking the expiration date of the self-signature. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://git

Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)

Note the following text from the gpgv manpage: ``` gpgv2 assumes that all keys in the keyring are trustworthy. That does also mean that it does not check for expired or revoked keys. ``` So we're in good company ;-) -- You are receiving this because you are subscribed to this thread. Reply

Re: [Rpm-maint] [rpm-software-management/rpm] Add CONTRIBUTING.md (#1709)

There is obviously a book to be written on the topic. But may be we can get away with a more minimalist approach for now. Still there are a few topics that we need to at least touch on. Commit messages being one of them. I will try to come up with something. -- You are receiving this because y

Re: [Rpm-maint] [rpm-software-management/rpm] fix rpmbuild failure because of wrong symlink length on some filesystems (#1740)

Thank you for the responses! I understand the problem(s) of this pull request. I have two questions: 1. Why is the archive size calculated in advance in the first place? Is this some kind of sanity check or is it required somewhere? 2. Would it be possible, in case the size check fails, to give

[Rpm-maint] [rpm-software-management/rpm] Check that OpenPGP signatures are the correct type (#1742)

All OpenPGP signatures of packages are type 0 (binary), but RPM does not check this. RPM should check this as a defense-in-depth measure. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-manag

[Rpm-maint] [rpm-software-management/rpm] Reject bogus unhashed subpackets (#1741)

According to [RFC 4880 §5.2.3]: > There are two fields consisting of Signature subpackets. The first > field is hashed with the rest of the signature data, while the second > is unhashed. The second set of subpackets is not cryptographically > protected by the signature and should include only a

Re: [Rpm-maint] [rpm-software-management/rpm] Fix out-of-tree builds (#1732)

> Can you please provide the command you used to build and may be even the > error message you got? I used a complex custom shell script; I will try to reproduce without it. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: h

Re: [Rpm-maint] [rpm-software-management/rpm] Fix out-of-tree builds (#1732)

Can you please provide the command you used to build and may be even the error message you got? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1732#issuecomment-872020447_