On Thu, 6 Sep 2007, Adrian Schröter wrote:
* People who currently use repositories from OBS will need to import the new gpg key(s). Otherwise the package managers will report errors.
Is signing with two keys possible? If so use a new buildservice key and still sign all packages with the old one (at least for older distributions). Add multi-key handling for openSUSE 10.3 and start using it there.
We discussed this as well. It is technical possible but showed more problems. The biggest one is that people just can remove one of the keys on their mirror, so YaST would only check only one. If this is only the generic OBS key, it is not enough anymore, but YaST (and any other package manager afaik) can not decide between trusted and less trusted keys.
From my point of view it was very complicated to add a key for Suse 10.1 (searching key, getting key, calling rpm with a commandline). 10.2 did it automatically after a button press if I remember.
I myself still have some machines running 10.1 (gladly no longer 9.x, as Strato allowed updates of the virtual servers :-) and don't want to do this all again for all the projects I use. So my concern is that you may introduce lots of new work. The OBS key is outdated in May 2008 if I'm right. When you have proper keyhandling in openSUSE 10.3 and 10.2 all is fine and you may introduce new handling there, but leave the old key until it ends for the older distributions. Is this possible? P.S. yast needs a RPM keyhandling module, where I can list, disable, enable, ... the keys when you introduce such a mass of keys. Ciao -- http://www.dstoecker.eu/ (PGP key available)