[Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
Neal H. Walfield
notifications at github.com
Fri Nov 8 13:27:26 UTC 2024
@nwalfield commented on this pull request.
>
- if (replace) {
- rasprintf(&tmppath, "%s.new", path);
- unlink(tmppath);
+ rc = write_key_to_disk(key, dirstr, keyfmt, replace, flags);
+
+ if (!rc && replace) {
+ /* find and delete the old pubkey entry */
I'm a bit concerned about this. OpenPGP certificates are mostly append-only data structures. To understand why, imagine that the certificate is revoked, and the revocation certificate is stored locally. Then some process comes along and updates the certificates, but it doesn't have the revocation certificate for some reason. The revocation certificate will now be deleted, and rpm may start relying on the revoked certificate again.
So, from my perspective, the correct thing to do here is to merge the existing data with the new data.
Can you explain your thought process here and what you are trying to accomplish?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#pullrequestreview-2423810811
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3437/review/2423810811 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241108/e757e145/attachment.html>
More information about the Rpm-maint
mailing list