[PATCH keyring] usign: drop personal + outdated keys except 21.02
Hauke Mehrtens
hauke at hauke-m.de
Sat Apr 3 19:53:56 BST 2021
On 3/30/21 10:53 AM, Paul Spooren wrote:
> The ./usign folder is added to every OpenWrt image, it should only
> contain the most necessary keys. At this point it contains both a
> selection of personal developer keys and keys of EOL releases.
>
> Remove them all and only keep the 21.02 key.
>
> A future commit should add a "next release" key, which is later renamed
> to the next release name (e.g. 21.08). This approach should allow secure
> upgrade between releases.
>
> Signed-off-by: Paul Spooren <mail at aparcar.org>
> ---
> This commit should be merged into a `openwrt-21.02` branch which is then
> selected by the 21.02 release.
> --- a/usign/b5043e70f9a75cde
> +++ /dev/null
> @@ -1,2 +0,0 @@
> -untrusted comment: Public usign key for unattended snapshot builds
> -RWS1BD5w+adc3j2Hqg9+b66CvLR7NlHbsj7wjNVj0XGt/othDgIAOJS+
This key should probably not get deleted in master.
I would prefer if we only copy some keys in
package/system/openwrt-keyring/Makefile to the final image. This way we
can keep the existing repository and do not have to branch it, but we
can just add some keys to each release.
Hauke
More information about the openwrt-devel
mailing list