Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
Closed #857. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#event-2667743446___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
Oh. We're not removing something that's in active use, I simply had no idea people actually use that, I've never heard so much as a single word of anybody using it until now. Closing and back to drawing board, but clearly proposing removal was an effective way to gain information. Thanks for the feedback. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535833447___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
(Except I think that code is still not used by dnf because it dates to the PackageKit C vs yum Python days?) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535674087___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
Also worth noting https://github.com/rpm-software-management/libdnf/issues/43 (libdnf auto-injects `/etc/pki/rpm-gpg`) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535673882___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
Ideally we don't want to have to carry a revert to gain the functionality back for the Yocto Project. Is there something else that can be done here other than to remove the code, such as an option with with in the configuration to allow it to continue to function as it does today? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535666480___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
Yes this is actively used by the Yocto Project. It allows us to have a single location in the system that contains all of the software keys, and can be updated dynamically by authorized systems/components. Having to load keys (manually) into the rpm database, makes it very difficult to support devices that can't be serviced and have no console. Instead we can remove old keys and install new keys [passing appropriate selinux/ima/etc security methods] by updating files. It also allows developers to open up devices for user control by installing secondary keys for user-packages to 'unlock' an otherwise locked device. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535605541___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
(cc: @mhatle @kanavin) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857#issuecomment-535604121___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Remove "support" for loading keyring from filesystem (#857)
This is basically an abandoned and forgotten development path from 11 years ago that arguably shouldve been removed long ago, and one that has potential security implications and doesnt play well with existing API users who rely on gpg-pubkey headers being in the rpmdb (RhBug:1393586) You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/857 -- Commit Summary -- * Remove support for loading keyring from filesystem -- File Changes -- M lib/rpmts.c (56) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/857.patch https://github.com/rpm-software-management/rpm/pull/857.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/857 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint