Bug ID | 1207683 |
---|---|
Summary | zypper: consider removing no longer need GPG keys from rpmdb |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | ma@suse.com |
Reporter | matthias.gerstner@suse.com |
QA Contact | qa-bugs@suse.de |
CC | dheidler@suse.com, security-team@suse.de |
Found By | --- |
Blocker | --- |
+++ This bug was initially created as a clone of Bug #1206924 In bug 1206924 comment 7 we stumbled over the topic of public GPG signing keys not being removed by zypper when invoking `zypper rr` and a related signing key is no longer needed. The opi package manages third party repositories and hit the problem of properly cleaning up behind itself when repositories are deleted again. Having third party GPG keys lingering in the rpmdb can be security relevant. In opi this is now solved on foot for the time being. So the question is whether it is possible to handle this on Zypper level already to remove no longer needed keys from the rpmdb.