On Thu, Nov 2, 2023 at 1:33 PM Brian C. Lane <bcl@xxxxxxxxxx> wrote:
I think we should:
* Switch the default local gpg check to true
- this removes surprise when you learn you've been installing
unchecked software for ... years? If they want it, it can be set
back to false by the user.
* Don't apply the local flag to rpms downloaded from a url by dnf.
Treat them as if they came from a repo.
- users (or me) don't know all the internal paths inside dnf, the
expectation is that a url isn't a local file.
This seems like a reasonable default. Does it also make sense to add some CLI UI niceties that:
* Let's the user know this check may be skipped with "--nogpgcheck" with a brief explanation of the risk
* Allow the user to continue the transaction with only the specific package not being checked, default no
Jonathan Steffan
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
