https://bugzilla.suse.com/show_bug.cgi?id=1207683 Bug ID: 1207683 Summary: zypper: consider removing no longer need GPG keys from rpmdb Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ma@suse.com Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: dheidler@suse.com, security-team@suse.de Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1206924 In bug 1206924 comment 7 we stumbled over the topic of public GPG signing keys not being removed by zypper when invoking `zypper rr` and a related signing key is no longer needed. The opi package manages third party repositories and hit the problem of properly cleaning up behind itself when repositories are deleted again. Having third party GPG keys lingering in the rpmdb can be security relevant. In opi this is now solved on foot for the time being. So the question is whether it is possible to handle this on Zypper level already to remove no longer needed keys from the rpmdb. -- You are receiving this mail because: You are on the CC list for the bug.