* Michael Catanzaro: > On Tue, Nov 14 2023 at 08:16:39 AM -0500, Christopher > <ctubbsii@xxxxxxxxxxxxxxxxx> wrote: >> I think for the sake of security, it'd be better if this were on by >> default, and you just had to specify the --nogpgcheck >> For convenience, the error message should probably say "Error: GPG >> check FAILED (try again with '--nogpgcheck' to ignore)" >> I don't think this use case is so important that everybody's security >> should be lowered to avoid the minor inconvenience of passing a simple >> flag. > > Thing is, when manually installing RPMs that don't come from a > repository, 98% of the time they are not expected to be signed by a > GPG key that you have installed, so the check is expected to fail. GPG > check is just not the right thing to do in this case. If we enable GPG > checking when not appropriate, ***we will train users to reflexively > ignore GPG errors.*** We already trained them to use -y, which can automatically enroll new keys. I'm not sure if a trust boundary is crossed in that case, but if there isn't, why is user confirmation even needed? Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
