On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote:
> On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> >
> > FWIW, from what I can recall, yum used to check all packages, but this
> > resulted in tons of people complaining because they did not want it to
> > check their local packages. So, a localpkg_gpgcheck option was added and
> > set to false. dnf4 still has this option.
>
> I wasn't aware of that change in behavior. I can't find that option
> documented in the man page for dnf or any other readily available docs
> about dnf in my installation, or present in my dnf.conf file. I don't
Odd. It's in the dnf.conf man page here in rawhide:
"localpkg_gpgcheck
boolean
Whether to perform a GPG signature check on local packages (packages in a
file, not in a repository). The default is False. This option is subject to
the active RPM security policy (see gpgcheck for more details).
"
Looks like it was added to yum 13 years ago:
https://github.com/rpm-software-management/yum/commit/290933489b1aaeb1017d10fb59ccf3231e309115
> remember anybody ever complaining, certainly not "tons of people".
This was 13-14 years ago.
> Using local RPMs is a pretty rare thing. I can't imagine too many
> people complaining about this. It was never much of a burden, and to
> the extent that it was, it was a burden that was a worthwhile tradeoff
> for increased security.
I'm just relaying the history here...
> It's also not clear when this option would take effect. Would it take
> effect if I did `dnf install /path/to/local/file` or just when I did
no, because that looks up that file in your repos and downloads the repo
version of the package.
> `dnf localinstall /path/to/local/file`? What if I did `dnf
yes.
> localinstall remotepath:/to/remote/file`? All of these work, as it
> seems "localinstall" and "install" both just work if given a URL,
> local or remote.
remote path just downloads the file and installs it, so it's the same as
the last case.
> This option seems poorly rolled out, unclear in function, and overall
> bad for security.
Well, nothing was rolled out, it's been that way for 13 years.
Should it be revisited? Sure, and thats what this thread is for?
>
> >
> > It's also worth noting that if you pass yum/dnf/dnf5 urls for the
> > package(s) you want to install, it's not using a repo at all, it's
> > downloading those packages and treating them as local packages.
>
> Is this meant to imply that it doesn't do checks by default whenever
> you pass a URL?! That's even worse! From this user's perspective, a
> URL pointing to a package in a repo, is just a more fully-qualified
> way of specifying the shorthand package name. It seems very odd if
But dnf has no way to know https://foo.bar/packagename is in a repo.
If it is, you should enable the repo and install it with 'dnf install
packagename'.
> passing a fully-qualified path to a remote package results in less
> security than specifying the (possibly ambiguous) shortname for a
> package that DNF resolves via NVR.
Yep.
kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
