Bug 24989

Summary: Update request: mageia-repos-6-3.mga6
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: mageia-repos CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 24309    

Description Thomas Backlund 2019-06-21 15:57:31 CEST 
This is one of the blockers for the libreoffice update


Advisory:
Updated mageia-repos package makes the DE-agnostic libreoffice-x11 plugin
the default choice when libreoffice is upgraded (rather than
libreoffice-kf5) when using dnf. This avoids additional Plasma packages
being installed on non-Plasma systems.


SRPMS:
mageia-repos-6-2.mga6.src.rpm


i586:
mageia-repos-6-2.mga6.i586.rpm
mageia-repos-cauldron-6-2.mga6.i586.rpm
mageia-repos-keys-6-2.mga6.noarch.rpm
mageia-repos-pkgprefs-6-2.mga6.noarch.rpm


x86_64:
mageia-repos-6-2.mga6.x86_64.rpm
mageia-repos-cauldron-6-2.mga6.x86_64.rpm
mageia-repos-keys-6-2.mga6.noarch.rpm
mageia-repos-pkgprefs-6-2.mga6.noarch.rpm
Thomas Backlund 2019-06-21 15:58:00 CEST

Blocks: (none) => 24309

Comment 1 Dave Hodgins 2019-06-21 22:44:46 CEST 
The mageia-repos-keys should include a version of the key with the expiry date
should be extended.

[root@x3 ~]# gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Mageia 
gpg: key 80420F66: public key "Mageia Packages <packages@mageia.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@x3 ~]# gpg --list-key 80420F66
pub   4096R/80420F66 2011-02-07 [expired: 2012-03-13]
uid                  Mageia Packages <packages@mageia.org>

The version of the key with the expiry date extended is available on the
key servers.
[root@x3 ~]# gpg --keyserver pool.sks-keyservers.net --recv-keys 80420F66
gpg: requesting key 80420F66 from hkp server pool.sks-keyservers.net
gpg: key 80420F66: "Mageia Packages <packages@mageia.org>" 10 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:         new signatures: 10
[root@x3 ~]# gpg --list-key 80420F66
pub   4096R/80420F66 2011-02-07 [expires: 2020-12-30]
uid                  Mageia Packages <packages@mageia.org>

CC: (none) => davidwhodgins

Comment 2 Thomas Backlund 2019-06-22 01:41:28 CEST 
Indeed. seems we've been shipping an outdated key for a long time.

Now fixed both on mga6 and cauldron repos and theese packages are now:

SRPMS:
mageia-repos-6-3.mga6.src.rpm


i586:
mageia-repos-6-3.mga6.i586.rpm
mageia-repos-cauldron-6-3.mga6.i586.rpm
mageia-repos-keys-6-3.mga6.noarch.rpm
mageia-repos-pkgprefs-6-3.mga6.noarch.rpm


x86_64:
mageia-repos-6-3.mga6.x86_64.rpm
mageia-repos-cauldron-6-3.mga6.x86_64.rpm
mageia-repos-keys-6-3.mga6.noarch.rpm
mageia-repos-pkgprefs-6-3.mga6.noarch.rpm

Summary: Update request: mageia-repos-6-2.mga6 => Update request: mageia-repos-6-3.mga6

Comment 3 Dave Hodgins 2019-06-22 06:10:41 CEST 
[root@x3 ~]# gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Mageia
gpg: key 80420F66: public key "Mageia Packages <packages@mageia.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[root@x3 ~]# gpg --list-key 80420F66
pub   4096R/80420F66 2011-02-07 [expires: 2025-12-31]
uid                  Mageia Packages <packages@mageia.org>

Thanks. I don't agree with rpm silently ignoring expired keys, but that's
clearly what it does. It's encouraging unsafe key usage. In my opinion, rpm
should be changed to only allow the use of expired keys with some sort of
user specified override.
Comment 4 PC LX 2019-06-23 16:35:37 CEST 
Installed with issues.

Mageia Packages sign key now valid until 2025-12-31.

$ uname -a
Linux marte 4.14.127-desktop-1.mga6 #1 SMP Mon Jun 17 21:30:07 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep mageia-repos
mageia-repos-6-3.mga6
mageia-repos-keys-6-3.mga6
mageia-repos-pkgprefs-6-3.mga6
$ gpg --list-key "Mageia Packages <packages@mageia.org>"                                                                                                                                                          
gpg: using classic trust model                                                                                                                                                                                    
pub   rsa4096 2011-02-07 [SCEA] [expires: 2025-12-31]                                                                                                                                                             
      00EDB89585B012A8916F0DF8B742FA8B80420F66                                                                                                                                                                    
uid           [ unknown] Mageia Packages <packages@mageia.org>

CC: (none) => mageia

Comment 5 Thomas Backlund 2019-06-27 22:48:35 CEST 
Flushing out before mga7

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2019-06-28 00:05:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2019-0044.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED