Bug ID 1207683
Summary zypper: consider removing no longer need GPG keys from rpmdb
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ma@suse.com
Reporter matthias.gerstner@suse.com
QA Contact qa-bugs@suse.de
CC dheidler@suse.com, security-team@suse.de
Found By ---
Blocker --- 

+++ This bug was initially created as a clone of Bug #1206924

In bug 1206924 comment 7 we stumbled over the topic of public GPG signing keys
not being removed by zypper when invoking `zypper rr` and a related signing
key is no longer needed.

The opi package manages third party repositories and hit the problem of
properly cleaning up behind itself when repositories are deleted again. Having
third party GPG keys lingering in the rpmdb can be security relevant. In opi
this is now solved on foot for the time being.

So the question is whether it is possible to handle this on Zypper level
already to remove no longer needed keys from the rpmdb.

You are receiving this mail because: