[Rpm-maint] [rpm-software-management/rpm] Ignore subkeys that are expired or cannot be used for signing (Issue #1911)
Panu Matilainen
notifications at github.com
Thu Feb 24 09:37:44 UTC 2022
>From rpm POV, the revocation problem is exactly the same as expiry: software doesn't get uninstalled or become inaccessible by somebody somewhere revoking something. Rpm would need to use a different policy for installed packages to make that possible, and it all spins out of hand real fast.
The sanest thing for rpm to do would be dropping support for subkeys because that opens up all manner of complications that just don't exist with primary keys. When subkey parsing support was added in 355c9b069f25d3a9c3dc224fb39a90522c04ca28 , I doubt the complexities were considered at all.
The other thing to keep in mind wrt rpm key support is that rpm's imported == trusted key model means that you only feed very curated material into rpm. It doesn't generally need to handle arbitrary key data off the net, like a general purpose OpenPGP implementation does.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1911#issuecomment-1049663358
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/1911/1049663358 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220224/e65d9d7a/attachment-0001.html>
More information about the Rpm-maint
mailing list