#3372 Old Fedora GPG keys are not revoked
Closed: Fixed None Opened 11 years ago by till.

= bug description =
https://fedoraproject.org/keys contains a list of keys that are not used anymore. But they do not seem to be revoked.

= bug analysis =

It was forgotten to revoke the respective keys.

= fix recommendation =

Revoke the keys. It would be best to also use the correct timestamp in the revocation certificate.


We have never revoked any of the keys.

Replying to [comment:1 ausil]:

We have never revoked any of the keys.

This does not mean that it is a good idea to not revoke them.

What advantage(s) would be gained by doing so?

Replying to [comment:3 kevin]:

What advantage(s) would be gained by doing so?

Then the proper way will be used to notify people of the validity of the respective keys. Since they are not only used by yum/rpm but also to verify Fedora images, it will show people using an old key to verify an old image that the key is no longer valid. Additionally it would also be nice to set an expiry date for keys.

Login to comment on this ticket.

Metadata