On Tue, Oct 31, 2023 at 1:38 PM Vít Ondruch <vondruch@xxxxxxxxxx> wrote: > > > Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a): > > Hello, > > > > DNF5 got a complaint > > <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf update > > https://..."; skips verifying package signatures: > > > > $ sudo dnf update https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm > > [...] > > Warning: skipped PGP checks for 2 package(s). > > > > A DNF5 developer confirmed that old DNF4 does not verify signatures too. > > The verification happens only for packages comming from a repository. Why DNF5 > > looks bad is because it actually prints the warning and thus keeps the user > > better informed. > > > > The nonchecking behavior probably exists to make installing local packages > > easy. If DNF5 would insist on checking the signatures, Fedora users would have > > to pass --no-gpgchecks option to their "dnf5" commands to override the new > > default, or start signing their packages. As always security is not easy. > > > > Because this an old behavior and some users probably depend on it, enabling > > the verification for all cases looks like an abrupt change. > > > > I would would like to hear your opinion: Should DNF5 start verifying all > > packages? Should DNF5 keep ignoring signatures for out-of-repository packages? > > Or should rather narrow the verification skip to packages from a local file > > system? Any other options? > > > Or maybe verify what it can and report the packages which can't be > verified? You can notice that I was actually installing singed packages. > > But I would (probably) not mind to explicitly specify `--no-gpgcheck`. I > still would swear this used to be needed, that is why I try to install > the signed packages. I could have sworn the same thing. I think that it should be an error if any package (it doesn't matter if it is local or not) cannot be verified, unless `--nogpgcheck` is specified. This seems like the only secure-by-default option. No RPM should be allowed to be installed if it can't be verified, unless the user explicitly allows it. If less secure options are provided (such as only providing a warning message or skipping verification of local RPMs), then an option must be provided to force the secure-behavior to prevent the installation of any RPMs that haven't been verified (something like `--requiregpgcheck`). But my strong preference is that it require GPG checks by default. That is the behavior that is implied by the existence of the `--nogpgcheck` flag and the non-existence of any other related flags. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
