Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
[opensuse] gpg-pubkeys missing 'Distribution'
  • From: Linda Walsh <suse@xxxxxxxxx>
  • Date: Sun, 07 Jun 2009 14:08:02 -0700
  • Message-id: <4A2C2C32.90504@xxxxxxxxx>

I was looking at the distro's and 'arch's for packages installed on one of my systems. The system started out as a '32bit', i586-based system, but was upgraded to x86_64 later in life.

To check that I have no old-arch packages, I printed out dist's and arch's

rpm -qa --qf '%-25{distribution} (%{arch}) : %{n}-%{V}-%{R}\n'

Only one package showed had a 'binary' (not 'noarch') arch "mismatch" --
a package left over from 10.2:
openSUSE 10.2 (i686) (i686) : db-4.4.20-16

No...that's not a 'double-arch' printing -- it's a pre-11.1 "bug" where
some packages contained an 'arch' string embedded in the distribution name.

Most the 'arch's agree (sorta) and make no diff, like:

openSUSE 10.2 (X86-64) (x86_64) : nttcp-1.47-151
openSUSE 10.3 (X86-64) (x86_64) : apcupsd-3.14.1-33
openSUSE 11.0 (X86-64) (x86_64) : acpiw-0.75-574.1

(i.e. 10.2, 10.3 and 11.0 had packages with an 'almost correct', but
'bogus' 'arch' embedded in the distribution name ("X86-64" != "x86_64").

A few had mismatching, confused values, mostly fonts/cursors:
openSUSE 10.2 (i586) (noarch) : agfa-fonts-2003.03.19-51
openSUSE 11.0 (i586) (noarch) : Crystalcursors-0.5-197.1
openSUSE 11.0 (i586) (noarch) : bitstream-vera-1.10-278.1

Some script-lang packages, like:
openSUSE 10.3 (i586) (noarch) : yast2-devtools-2.15.9-6
openSUSE 11.0 (i586) (noarch) : bootchart-0.9-221.1

But this is a weird one (as it is inconsistent, but better than
the others that it is inconsistent with):
openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1

It's a build key -- but is it only for signing i586 packages? Not sure
what was meant, but among "keys", it's the only one with ANY sort of
indication of what "Distribution" it was 'for', or was valid for signing.

The other 'gpg' keys, all have NO dist and, using the above mentioned
rpm query, print out as:
(none) ((none)) : gpg-pubkey-0dfb3188-41ed929b
(none) ((none)) : gpg-pubkey-307e3d54-44201d5d
(none) ((none)) : gpg-pubkey-307e3d54-481f30aa
(none) ((none)) : gpg-pubkey-3d25d3d9-36e12d04
(none) ((none)) : gpg-pubkey-3dbdc284-49144c3f
(none) ((none)) : gpg-pubkey-56b4177a-47965b33
(none) ((none)) : gpg-pubkey-7e2e3b05-44748aba
(none) ((none)) : gpg-pubkey-7e2e3b05-4816488f
(none) ((none)) : gpg-pubkey-9c800aca-40d8063e
(none) ((none)) : gpg-pubkey-9c800aca-481f343a
(none) ((none)) : gpg-pubkey-a1912208-446a0899


So how do I tell what distro's the keys are good for signing?
How do I tell which are for old 'distro's, that I no longer want
to have enabled for "signed" installing? I.e. I might like rpm tell me that 'old-distro rpms', aren't signed with the "latest", released,
Distro key(s). Why would I have so many keys installed? I think
the first distribution installed on here was 10.2(i586), upgraded
'arch' (w/10.2(x86_64), 10.3, 11.0 and now, 11.1.

Theoretically, one could have 1 signing key/distribution (1 key being good for all archs), so I could have as few as 4 keys if things were 'optimal', or 5 keys if they signed different binary archs separately.
But why 11 keys? Maybe oss vs. non-oss packages? That would yield
8 or 10 (presuming I had non-oss packages installed from each of my
4 distros (or 5 binary distros). Whatever...

The point is -- how can one tell if they keys don't say what Distribution they were shipped with?

It's pointless, I believe to attempt to go back and issue patches for
all the pre-11.2 signing key packages so the distro-names would be included, but would it be a good idea (and possible) to include
the distributions in 11.2 (and beyond?)

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >