On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > FWIW, from what I can recall, yum used to check all packages, but this > resulted in tons of people complaining because they did not want it to > check their local packages. So, a localpkg_gpgcheck option was added and > set to false. dnf4 still has this option. I wasn't aware of that change in behavior. I can't find that option documented in the man page for dnf or any other readily available docs about dnf in my installation, or present in my dnf.conf file. I don't remember anybody ever complaining, certainly not "tons of people". Using local RPMs is a pretty rare thing. I can't imagine too many people complaining about this. It was never much of a burden, and to the extent that it was, it was a burden that was a worthwhile tradeoff for increased security. It's also not clear when this option would take effect. Would it take effect if I did `dnf install /path/to/local/file` or just when I did `dnf localinstall /path/to/local/file`? What if I did `dnf localinstall remotepath:/to/remote/file`? All of these work, as it seems "localinstall" and "install" both just work if given a URL, local or remote. This option seems poorly rolled out, unclear in function, and overall bad for security. > > It's also worth noting that if you pass yum/dnf/dnf5 urls for the > package(s) you want to install, it's not using a repo at all, it's > downloading those packages and treating them as local packages. Is this meant to imply that it doesn't do checks by default whenever you pass a URL?! That's even worse! From this user's perspective, a URL pointing to a package in a repo, is just a more fully-qualified way of specifying the shorthand package name. It seems very odd if passing a fully-qualified path to a remote package results in less security than specifying the (possibly ambiguous) shortname for a package that DNF resolves via NVR. > > kevin > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue