Re: DNF5: Checking signatures of packages installed out of a repository?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> FWIW, from what I can recall, yum used to check all packages, but this
> resulted in tons of people complaining because they did not want it to
> check their local packages. So, a localpkg_gpgcheck option was added and
> set to false. dnf4 still has this option.

I wasn't aware of that change in behavior. I can't find that option
documented in the man page for dnf or any other readily available docs
about dnf in my installation, or present in my dnf.conf file. I don't
remember anybody ever complaining, certainly not "tons of people".
Using local RPMs is a pretty rare thing. I can't imagine too many
people complaining about this. It was never much of a burden, and to
the extent that it was, it was a burden that was a worthwhile tradeoff
for increased security.

It's also not clear when this option would take effect. Would it take
effect if I did `dnf install /path/to/local/file` or just when I did
`dnf localinstall /path/to/local/file`? What if I did `dnf
localinstall remotepath:/to/remote/file`? All of these work, as it
seems "localinstall" and "install" both just work if given a URL,
local or remote.

This option seems poorly rolled out, unclear in function, and overall
bad for security.

>
> It's also worth noting that if you pass yum/dnf/dnf5 urls for the
> package(s) you want to install, it's not using a repo at all, it's
> downloading those packages and treating them as local packages.

Is this meant to imply that it doesn't do checks by default whenever
you pass a URL?! That's even worse! From this user's perspective, a
URL pointing to a package in a repo, is just a more fully-qualified
way of specifying the shorthand package name. It seems very odd if
passing a fully-qualified path to a remote package results in less
security than specifying the (possibly ambiguous) shortname for a
package that DNF resolves via NVR.

>
> kevin
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux