On 3/11/25 8:58 AM, Adam Williamson wrote:
On Mon, 2025-03-10 at 16:42 +0100, Florian Weimer wrote:
* The most noticeable change is that RPM now refuses to install
packages whose signature hasn't been positively verified, whether due
to being unsigned, missing key or otherwise. This can be worked around
by supplying `--nosignature` on the command line, or more permanently,
changing the `%_pkgverify_level` macro to the former default of
`digest`, but these should be only temporary measures, users are
encouraged to import necessary keys and/or setup automatic signing for
their (local) builds instead.
Does this impact installations via “dnf install”?
I would assume so, since rpm is still under dnf in the end.
Yes, it impacts installs with *any* client using librpm.
What's the impact on typical Fedora CI tests?
We would need to make sure the CI systems download signed packages,
somehow. AFAIK they currently don't. openQA certainly doesn't.
I have no idea how Fedora CI is setup and what is involved there.
Ideally signed packages are used of course, but for these cases the easy
way out is to just flip the default back to 4.x in the CI. It's a single
macro config entry.
- Panu -
I've been working on https://github.com/fedora-infra/bodhi/pull/5859 to
help with this, but there turned out to be some subtleties that I
didn't have time to deal with yet (and then I went on vacation).
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
