Re: DNF5: Checking signatures of packages installed out of a repository?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar <ppisar@xxxxxxxxxx> wrote:
>
> Hello,
>
> DNF5 got a complaint
> <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf update
> https://..."; skips verifying package signatures:
>
>     $ sudo dnf update https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm
>     [...]
>     Warning: skipped PGP checks for 2 package(s).
>
> A DNF5 developer confirmed that old DNF4 does not verify signatures too.
> The verification happens only for packages comming from a repository. Why DNF5
> looks bad is because it actually prints the warning and thus keeps the user
> better informed.
>
> The nonchecking behavior probably exists to make installing local packages
> easy. If DNF5 would insist on checking the signatures, Fedora users would have
> to pass --no-gpgchecks option to their "dnf5" commands to override the new
> default, or start signing their packages. As always security is not easy.
>
> Because this an old behavior and some users probably depend on it, enabling
> the verification for all cases looks like an abrupt change.
>
> I would would like to hear your opinion: Should DNF5 start verifying all
> packages? Should DNF5 keep ignoring signatures for out-of-repository packages?
> Or should rather narrow the verification skip to packages from a local file
> system? Any other options?

I wonder - how would DNF (4 or 5 doesn't matter) know how to check that at all?
I mean, if the package isn't associated with a repository (like
installing an RPM directly), which GPG key should it even be checked
against?

Fabio
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux