Closed joselamego closed 5 years ago
Ok, so autospec fails hard in this case because it is considered a critical security issue that should at minimum require research and thought by the packager. The way you get around it is by removing the following line from the
# Source0 file verified with key 0xDEADBEEFCAFEBABE (example@email.com)
Autospec will then allow you to import and use the new key.
We may need to provide a more straightforward way to do that.
Ideally we get some way where we get a security team or otherwise git commit with JUST the key change, so that we have accountability and tracebility on such changes.
On Fri, Mar 23, 2018 at 10:58 AM, Matthew Johnson notifications@github.com wrote:
Ok, so autospec fails hard in this case because it is considered a critical security issue that should at minimum require research and thought by the packager. The way you get around it is by removing the following line from the .spec file:
Source0 file verified with key 0xDEADBEEFCAFEBABE (example@email.com)
Autospec will then allow you to import and use the new key.
We may need to provide a more straightforward way to do that.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clearlinux/autospec/issues/139#issuecomment-375751275, or mute the thread https://github.com/notifications/unsubscribe-auth/ABPeFeCBXipzn9cDZuEZyoh62xCBZJTxks5thTfIgaJpZM4S5Gxn .
These gstreamer packages were updated a while back, and the submitter had accepted the new key as valid. So this issue is no longer valid.
Public key for the following packages has changed in version 1.14.0 (probably a couple previous versions too), blocking package updates: gst-plugins-bad gst-plugins-base gst-plugins-good gst-plugins-ugly gstreamer gstreamer-vaapi
Please let me know if this is not the right channel to report this and if more information is needed.