On 01/31/2013 12:26 PM, Craig White wrote:
You should install the repo key on your system prior to ever installing packages. If you import the key, you don't have this problem. Instructions are on rpmfusion.org website for this purpose.
I do. I've been having intermittent issues with rpmfusion (only) about packages where the key doesn't match on my F16 desktop for over a year. Today, there was one update from there and it installed without a problem, with the gpg check enabled, so it looks like I should have the right key installed.
Yum's 'nogpgcheck' option bypasses the signature requirement on packages which means that you could install packages from anyone claiming to be rpmfusion.org. It is relatively simple to poison someone's DNS and direct them to some other repo so while you trust rpmfusion.org, you are also trusting your DNS not to lie to you.
I normally use yumex every day and when the error pops up, I unselect everything from rpmfusion and tell yumex to try again. Then, I examine the remaining updates to make sure they're what I expect to see and tell yumex to turn off the gpg check for that run only. I'm very, very careful about what I allow to update that way and I'd never suggest that anybody turn it off completely, or if they're not sure that they trust the repo in question. And, if you'll go back and look at what I originally wrote, I made sure to warn the OP to be careful with it. (I'll go even farther, now: if you're not sure it's safe, or you're not comfortable with doing it, don't.)
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
