From daniel.8wp at wp.pl  Tue Feb  4 18:20:08 2025
From: daniel.8wp at wp.pl (=?UTF-8?Q?daniel=2E8wp=40wp=2Epl?=)
Date: Tue, 04 Feb 2025 18:20:08 +0100
Subject: =?UTF-8?Q?New_iso_PLD?=
Message-ID: <30e46576b0f64d94993871c33a6e539b@grupawp.pl>

Hi,  Where is the last iso of PLD Linux? I opened the ftp link from filezilla, but I can&#39;t find latest iso.  Thanks for help  Daniel Karpi?ski


From krzysztof at mrozowicz.eu  Wed Feb  5 18:49:28 2025
From: krzysztof at mrozowicz.eu (Krzysztof Mrozowicz)
Date: Wed, 5 Feb 2025 17:49:28 +0000
Subject: New iso PLD
In-Reply-To: <30e46576b0f64d94993871c33a6e539b@grupawp.pl>
References: <30e46576b0f64d94993871c33a6e539b@grupawp.pl>
Message-ID: <01020194d73b3419-0c3db163-07fd-4e0d-883d-7c2980eef578-000000@eu-west-1.amazonses.com>

Dnia 2025-02-04, o godz. 18:20:08
daniel.8wp at wp.pl <daniel.8wp at wp.pl> napisa?(a):

> Hi,  Where is the last iso of PLD Linux?
This is the most recent PLD Live iso, as far as I know. If that's what
you are looking for.

https://github.com/pld-linux-org/pld-new-rescue/releases

-- 
Krzysiek


From baggins at pld-linux.org  Sat Feb  8 23:53:44 2025
From: baggins at pld-linux.org (Jan =?utf-8?Q?R=C4=99korajski?=)
Date: Sat, 8 Feb 2025 23:53:44 +0100
Subject: rpm 4.20, sequoia OpenPGP and old packages
Message-ID: <Z6fe1NB9iJzBVFoB@tachikoma.lan>

TL;DR Packages with non-conformant OpenPGP signatures must be
resinstalled with --nosignature.

rpm 4.20 dropped the venerable rpmpgp custom library in favor of
rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
sequoia is much stricter in validating signatures and fail if the
format is non-conformat to the standard. What it means is that
packages built with rpm5 cannot be installed and ones already
installed will cause errors and must be reinstalled.

The former problem is fixed, I have re-signed all packages in main
PLD Th repo.

The later is more involved, because rpm will barf without telling
which package ails it.

The easiest way to check if your system is affeted is to run
`rpm -qa --nosignature --qf ''` (which should output nothing) and watch
if you see errors like those at the end of this message.
In case you do, just run the below command, which will update rpm db
for every bad package with the corrected one.

rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
  rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
    grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
done

Final words - while we could stick to rpmpgp_legacy library for now,
since it still can be used after going through some hoops, it will not
be pssible in the future, so let's deal with this now.

Sample errors:

-----------------
error: rpmdbNextIterator: skipping h#    1292
Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
  Failed to parse Signature Packet
        because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
              because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
              Header SHA1 digest: OK
-----------------
error: Verifying a signature, but no certificate was provided:
  Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
        because: Expired on 2018-09-15T07:33:10Z
error: rpmdbNextIterator: skipping h#     881
Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
Header SHA1 digest: OK
-----------------

-- 
Jan R?korajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/