On Sun, Jun 07, 2009 at 02:08:02PM -0700, Linda Walsh wrote:
I was looking at the distro's and 'arch's for packages installed on one of my systems. The system started out as a '32bit', i586-based system, but was upgraded to x86_64 later in life.
To check that I have no old-arch packages, I printed out dist's and arch's using:
rpm -qa --qf '%-25{distribution} (%{arch}) : %{n}-%{V}-%{R}\n'
Only one package showed had a 'binary' (not 'noarch') arch "mismatch" -- a package left over from 10.2: openSUSE 10.2 (i686) (i686) : db-4.4.20-16
No...that's not a 'double-arch' printing -- it's a pre-11.1 "bug" where some packages contained an 'arch' string embedded in the distribution name.
Most the 'arch's agree (sorta) and make no diff, like:
openSUSE 10.2 (X86-64) (x86_64) : nttcp-1.47-151 openSUSE 10.3 (X86-64) (x86_64) : apcupsd-3.14.1-33 openSUSE 11.0 (X86-64) (x86_64) : acpiw-0.75-574.1
(i.e. 10.2, 10.3 and 11.0 had packages with an 'almost correct', but 'bogus' 'arch' embedded in the distribution name ("X86-64" != "x86_64").
A few had mismatching, confused values, mostly fonts/cursors: openSUSE 10.2 (i586) (noarch) : agfa-fonts-2003.03.19-51 openSUSE 11.0 (i586) (noarch) : Crystalcursors-0.5-197.1 openSUSE 11.0 (i586) (noarch) : bitstream-vera-1.10-278.1
Some script-lang packages, like: openSUSE 10.3 (i586) (noarch) : yast2-devtools-2.15.9-6 openSUSE 11.0 (i586) (noarch) : bootchart-0.9-221.1
But this is a weird one (as it is inconsistent, but better than the others that it is inconsistent with): openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1
It's a build key -- but is it only for signing i586 packages? Not sure what was meant, but among "keys", it's the only one with ANY sort of indication of what "Distribution" it was 'for', or was valid for signing.
The other 'gpg' keys, all have NO dist and, using the above mentioned rpm query, print out as: (none) ((none)) : gpg-pubkey-0dfb3188-41ed929b (none) ((none)) : gpg-pubkey-307e3d54-44201d5d (none) ((none)) : gpg-pubkey-307e3d54-481f30aa (none) ((none)) : gpg-pubkey-3d25d3d9-36e12d04 (none) ((none)) : gpg-pubkey-3dbdc284-49144c3f (none) ((none)) : gpg-pubkey-56b4177a-47965b33 (none) ((none)) : gpg-pubkey-7e2e3b05-44748aba (none) ((none)) : gpg-pubkey-7e2e3b05-4816488f (none) ((none)) : gpg-pubkey-9c800aca-40d8063e (none) ((none)) : gpg-pubkey-9c800aca-481f343a (none) ((none)) : gpg-pubkey-a1912208-446a0899
--------
So how do I tell what distro's the keys are good for signing? How do I tell which are for old 'distro's, that I no longer want to have enabled for "signed" installing? I.e. I might like rpm tell me that 'old-distro rpms', aren't signed with the "latest", released, Distro key(s). Why would I have so many keys installed? I think the first distribution installed on here was 10.2(i586), upgraded 'arch' (w/10.2(x86_64), 10.3, 11.0 and now, 11.1.
Theoretically, one could have 1 signing key/distribution (1 key being good for all archs), so I could have as few as 4 keys if things were 'optimal', or 5 keys if they signed different binary archs separately. But why 11 keys? Maybe oss vs. non-oss packages? That would yield 8 or 10 (presuming I had non-oss packages installed from each of my 4 distros (or 5 binary distros). Whatever...
The point is -- how can one tell if they keys don't say what Distribution they were shipped with?
gpg-pubkey are virtual RPM objects (GPG keys) already imported. They lack most RPM information. Once they are imported to RPM, they stay.
It's pointless, I believe to attempt to go back and issue patches for all the pre-11.2 signing key packages so the distro-names would be included, but would it be a good idea (and possible) to include the distributions in 11.2 (and beyond?)
The ones used by openSUSE itself are contained in the (real)
openSUSE-build-key (before 11.1 it was suse-build-key) RPM.
They also live in the /usr/lib/rpm/gnupg/pubring.gpg keyring file.
/usr/lib/rpm/gnupg/pubring.gpg
------------------------------
pub 2048R/3D25D3D9 1999-03-06
uid SuSE Security Team