|
|
在linuxsir“休假”期间,Fedora世界里发生了件大事:Fedora为更新启用了新的密钥,现将https://fedoraproject.org/wiki/Enabling_new_signing_key
的内容逐步翻译过来,愿有益于新手,并盼高手指正:
Enabling new signing key
From FedoraProject
Jump to: navigation, search
The Fedora Project recently re-signed all of its packages with a new key. Background details regarding the key change are found here. This page exists to aide users in the transition to the newly signed content and further updates for Fedora 8 and Fedora 9.
Fedora项目近期重新用新密钥标记了所有的包。有关密钥更改的背景细节现发布于此。本网页旨在帮助Fedora 8和Fedora 9用户向新标记的内容和未来的更新转移。
What is happening?
发生了什么事?
All of the existing Fedora 8 and Fedora 9 released packages and updates are to be re-signed with new GPG keys. The newly signed content will be placed in new directories on the mirrors, and new fedora-release packages will be issued to the old locations signed with the old key that reference these new locations and the new GPG keys.
Fedora 8和Fedora 9现有的所有发布包和更新,将以新的GPG密钥重新标记。新标记的内容会放在镜像中的新目录里,新的fedora-release包会发布在原来的地方,它以原密钥标记,并会引用新的地址和新GPG密钥。
Why?
为什么?
Fedora treats the security and trust of its users very carefully, and we want Fedora users to have zero doubt that the packages they receive are in fact from Fedora. Since we cannot in good faith continue to use the previously used GPG signing key, we have created new keys. The transition fedora-release packages and PackageKit updates are signed with the old key, so that existing users can install them automatically given pre-existing trust in the old key. These should be the last packages ever signed with the old keys.
Fedora对待安全问题和用户的信任是审慎的,我们要让Fedora的用户毫不怀疑他们获得的软件包确来自于Fedora。因为我们对继续使用以前的GPG 密钥未能有十足的信心,故而创建了新的密钥。用于转移的fedora-release包和PackageKit更新均以原密钥标记,如果原密钥得到信任的话,现有的用户则可以自动安装它们。它们将是用原密钥标记的最后的软件包。
When?
何时?
The re-signing is happening in to phases. Phase 1 consists of re-signing all of the published Fedora 8 and Fedora 9 updates and testing updates, as well as the pending updates. Phase 2 consists of re-signing all the release packages for Fedora 8 and Fedora 9. Phase 1 is now complete, and Phase 2 is progressing. In order to get important updates to users, we are enabling the Fedora 8 and Fedora 9 update flow now that Phase 1 is done.
软件包的重新标记工作分阶段实施。第一阶段包括重新标记所有发布过的Fedora 8 和Fedora 9更新、更新测试以及待定更新。第二阶段包括重新标记Fedora 8 和Fedora 9所有发行软件包。第一阶段现己完成,第二阶段正在进行中。为了使用户得到重要的更新,鉴于第一阶段现己完成,我们开启了Fedora 8 和Fedora 9的更新进程。
How?
如何做?
A page detailing the steps involved with re-signing all the Fedora 8 and 9 content exists here. We are making every effort to keep end user interaction to a bare minimum, and hopefully it can be a completely seamless process for end users.
本网页细述了有关重新标记Fedora 8 和Fedora 9所有内容的步骤。我们正尽一切努力来保证最終用户的更新过程尽可能简短,并希望它完全无缝平滑。
What do I have to do?
我该做什么?
Apply the next set of updates you see available. Then apply any further updates you see, verifying and importing the new GPG key along the way as prompted by your update software. That's it.
应用你看到的下一批的可用更新,然后应用你看到的其它进一步的更新,在此过程中按更新软件的提示,确认并导入新的GPG密钥。这就行了。
Checking key fingerprints
检查密钥指纹
Key fingerprints can be checked against https://fedoraproject.org/keys.
密钥指纹可在此处检查: https://fedoraproject.org/keys
What if something goes wrong?
如果有什么不对劲怎么办?
If your update software fails along the way, here are some manual steps you can take to update yourself.
如果你的软件更新未成功执行,以下是手动的更新步骤:
Install new fedora-release
安装新的fedora-release包
Fedora 8
1. Download the updated and signed fedora-release package.
下载更新并标记了的fedora-release包。
2. Verify that the package sha1sum matches 9a684ad36f4c1f49df7c569d5990d00f7da2cb9c:
确认该包的sha1sum符合9a684ad36f4c1f49df7c569d5990d00f7da2cb9c:
sha1sum fedora-release-8-6.transition.noarch.rpm
3. Install the package via rpm:
用rpm安装该包:
su -c 'rpm -Uvh fedora-release-8-6.transition.noarch.rpm'
4. Move on to importing the new key.
继续导入新密钥。
Fedora 9
1. Download the updated and signed fedora-release package.
下载已经更新并标记了的fedora-release包。
2. Verify that the package sha1sum matches 259165485c16d39904200b069873967e3eb5fa6e:
确认该包的sha1sum符合259165485c16d39904200b069873967e3eb5fa6e:
sha1sum fedora-release-9-5.transition.noarch.rpm
3. Install the package via rpm:
用rpm安装该包:
su -c 'rpm -Uvh fedora-release-9-5.transition.noarch.rpm'
4. Move on to importing the new key.
继续导入新密钥。
Import the new key
导入新密钥
1. Verify and import the new GPG key to your GPG keyring as per https://fedoraproject.org/keys.
确认并向钥匙集导入新的GPG密钥,请参见:https://fedoraproject.org/keys
2. Import the key into the RPM database:
向RPM数据库导入密钥:
su -c 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-8-and-9'
3. Use your update tool to get and install any new updates from the new location
用更新工具获得并安装任何来自新地址的更新。
Old key on system
系统上的原密钥
There are still some dependancies on the old key. As soon as these are resolved, the old key and old repo configuration will be purged from installed Fedora machines using an updated rpm and fedora-release package.
现在我们仍然对原密钥有所依赖。一但这些依赖问题解决,我们会用更新的rpm和fedora-release包将原密钥和原软件库的设置从现有的Fedora系统中清除。
Known Issues
己知的问题
In all cases it is best to use the manual processes listed above for making the transition. Here is a living list of known issues that may happen during the transition:
在任何情况下,最好用上述的手动方法来转移。这里会不断更新地列出在转移过程中可能出现的问题:
* PackageKit may fail to import the new key. To resolve the problem, use the manual steps above.
PackageKit可能无法导入新密钥。用上述手动方法解决此问题。
* PackageKit may not notify you of any new updates after installing the first set. To resolve the problem, run Update System manually, or restart your system.
在安装了第一批更新后,PackageKit可能不会通知你有新的更新,你得手动进行系统更新,或者重启系统。
* Some mirrors may have broken dependencies when updating to content in the new repo. This unfortunately happens from time to time, and we'll be working hard to resolve any such occurrences with further update pushes. To resolve the problem, select a subset of updates to apply, such as only the security related updates.
在更新到新的软件库时,有的镜像可能存在错误的依赖。我们感到遗憾的是,这种情形还在不时出现。我们会以更进一步的更新努力来解决这些问题。针对这个问题的解决方法是:你可选择应用部份更新,比如只更新那些与安全有关的包。
o If you receive an error relating to yum-utils, resolve the problem by excluding yum packages, using this command:
如果得到有关yum-utils的错误,排除yum包可以解决问题:
su -c 'yum update --exclude yum --exclude yum-utils'
o You can work around this problem in general by using this command:
也可用此普遍适用的方法来解决:
su -c 'yum --skip-broken update'
* You may see one or both of the following warnings. You can safely ignore these warnings. These repositories and corresponding files on your system are no longer required for getting new updates, and can be left alone. (The \ indicates a line break.)
你或许得到下列一个或全部警告。忽略这些警告是安全的。已经不再需要这些软件库和你系统中相应的文件来获得更新了,把它们留在那里并无大碍。(“\“是换行符)
warning: /etc/yum.repos.d/fedora-updates.repo created as \
/etc/yum.repos.d/fedora-updates.repo.rpmnew
warning: /etc/yum.repos.d/fedora.repo created as \
/etc/yum.repos.d/fedora.repo.rpmnew
* Having the yum plugin protectbase (yum-protectbase) installed and enabled for the Fedora repos (old key) may prevent updates being available from the new key repos. You can check if you have it installed with rpm -q yum-protectbase. It may be best to disable the protectbase plugin for the old key repos by editing the .repo files in /etc/yum.repos.d and changing protect=yes to protect=no. Alternately, check for updates without protectbase enabled:
安装了protectbase (yum-protectbase)这个yum的插件并用之于Fedora原软件库时,它会阻止来自于新密钥软件库的更新。用“rpm -q yum-protectbase”来检查你是否安装了它。最好编辑在/etc/yum.repos.d的.repo文件,使protect=yes 为protect=no,来让针对原密钥的protectbase失效。或者,在检查更新的时候不要使用protectbase:
su -c 'yum --skip-broken --disableplugin=protectbase update'
Questions?
有问题吗?
As questions come up throughout the Fedora community they will be posted and answered here. The discussion tab is also available for questions or comments.
鉴于来自Fedora社区各方的问题将在此张贴并回答,此处的讨论版将用于发布问题和评论。
Contact
联系
If you wish to contact those involved with this process, you can find us on IRC on freenode network, #fedora-admin channel.
如果你想联系那些参与此过程的人们,可以在freenode网的IRC,#fedora-admin频道上找到我们。 |
|
IP卡
狗仔卡
发表于 2008-9-24 21:05:14
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主