On Jun 19, 2010, at 10:36 AM, Eric MSP Veith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Friday 18 June 2010, Jeff Johnson <firstname.lastname@example.org> wrote:
>>> - ---%<---
>>> %post -p <lua>
>>> - --->%---
>> Oooh, nicely done! That's so much easier than the
>> insanity within the statically linked glibc %post
>> that is traditionally used.
> I just ate my own dog food and upgraded glibc-2.7 to eglibc-2.11 on my
> workstation while KDE and everything was running. It worked! :-)
>> FWIW, all scriptlet bodies are macro expanded so this SHOULD work:
>> - ---%<---
>> %post -p <lua>
>> - --->%---
> I'll try it out at another occasion. My TODO file holds the bare-metal
> buildroot thingy as next priority item. Btw, I added my package building key
> to keys.rpm5.org. Now that it's there, will RPM5 > 5.1.9 automatically check
> for the key whenever it encounters signed packages?
The HKP retrieval is automated in rpm-5.3.1, not earlier.
Well all versions of RPM back to rpm-4.4.2 have been able to
fetch pubkeys from HKP servers.
What is different in 5.3.1 is
1) pubkeys are validated by verifying pubkey signatures, invalid/unsigned
pubkeys are rejected.
2) expired/revoked pubkeys (and signatures) are handled
3) the bandwidth usage (and network outages) and other
mysteries of automating pubkey retrieval are more carefully handled.'
E.g. a pubkey retrieval will be attempted _EXACTLY once,
4) issues of persistence and "trust" and
Do you really want to import a pubkey from blah-blah(yN)?
are avoided by using pubkeys ephemerally, i.e. they retrieved
pubkeys are _ONLY_ used by RPM to verify integrity while installing,
no other usage for what are, in fact, P-U-B-L-I-C keys, not
the PIN to your bank account, or other more serious security matters.
>> Congrats seem to be in order. Congrats!
> Thanks! Dunno whether I can still "lose". I hope for a good evaluation. :-)
73 de Jeff
Received on Sat Jun 19 16:48:29 2010