On Wed, Jul 31, 2019 at 2:45 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > On 7/31/19 11:09 AM, Florian Weimer wrote: > > * Jason L. Tibbitts, III: > > > > At one point, RPM wrote unchecked file contents to disk, leading to > > vulnerabilities such as CVE-2013-6435. At the time, it was not possible > > to teach RPM to verify the data before writing it. > > > >> If it is, then great, though signatures still have value because there > >> are other ways to get RPMs than letting dnf hit the mirror network. > > > > I think dnf only performs signature checking if the RPMs are downloaded > > from repositories. > > Yep. I am pretty sure that is the case. > By default this is the case, but you can configure DNF to validate signatures for all cases if you want. You just set localpkg_gpgcheck=1 in /etc/dnf/dnf.conf That said, you probably don't want to do that, since most downloaded packages aren't signed... -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
