[Linux-PowerEdge] RPM repo GPG key changed

Anand Buddhdev anandb at ripe.net
Mon Jul 2 09:20:49 CDT 2018


On 02/07/2018 16:16, Aparna.Giri at Dell.com wrote:

Hi Aparna,

Can you please be more specific about your fix? What exactly are you
going to do? Are you going to re-sign all the packages with the old key?
Or will you sign them all with the new key? And if you do that, how
exactly are all users going get the new key? Remember that not all users
are on this list, so it's not enough to just announce here and tell folk
to import the new key. That just won't cut it. I'd like to hear details
about your fix.

Anand

> Hi All,
> 
> We are working on fixing this. The fixed RPMs will be available in ~1 week. 
> 
> Thanks,
> Aparna
> 
> 
> -----Original Message-----
> From: linux-poweredge-bounces-Lists On Behalf Of James Mathiesen
> Sent: Friday, June 29, 2018 6:38 PM
> To: linux-poweredge-Lists
> Subject: Re: [Linux-PowerEdge] RPM repo GPG key changed
> 
> Dell,
> 
> We also use Spacewalk and the limitation Jeff mentions will be a problem for us as well.
> 
> There is no customer benefit in using stronger keys and signature algorithms if Dell doesn’t stop requiring trust in the weaker keys and signature algorithms. A complete transition would have been disruptive but at least be a one-time cost with a clear fix, clear benefits and a clear end-state. Using the existing 1024-bit key with a stronger signing algorithm would have been non-disruptive but provide lesser benefits.
> 
> If there is a commitment to improving customer security I don't see how this specific change was a useful intermediate step.  If there is no commitment to improving customer security this change was a waste of everybody's time.  
> 
> james
> 
> 
> 
> 
> On 6/28/18, 9:36 PM, "Linux-PowerEdge on behalf of Gottloeb, Jeff [US] (ES)" <linux-poweredge-bounces at dell.com on behalf of jeffrey.gottloeb at ngc.com> wrote:
> 
>     Chandra,
>     
>     Please provide the justification for not signing all of the RPMs with the new key.  There are Dell customers with systems that do not have Internet connectivity and therefore need other solutions to manage the DSU and OMSA repositories.  Red Hat's disconnected Satellite server is one method designed for this purpose but it does not support multiple GPG keys for the same repository.
>     
>     Is there a target date when all of the RPMs will be signed with this new key?
>     
>     
>     Jeff Gottloeb
>     Northrop Grumman IT Solutions
>     310 812 4395
>     
>     
>     
>     _______________________________________________
>     Linux-PowerEdge mailing list
>     Linux-PowerEdge at dell.com
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.us.dell.com_mailman_listinfo_linux-2Dpoweredge&d=DwICAg&c=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA&r=CfAaYCQEf7pGoAdbq0Icw0twCvsk5y-CVhkNDSSJWU0&m=7-VNCLmkBGYWR-b1BySKceKLSMsi72ECRpu5UYm29r0&s=age2iN5lvS7avxm90dRrt9mbQtsQZeHC_SJO-GL-57I&e=
>     
> 
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
> 



More information about the Linux-PowerEdge mailing list