On Tue, Oct 31, 2023 at 04:23:41PM +0100, Petr Pisar wrote:
> The nonchecking behavior probably exists to make installing local packages
> easy. If DNF5 would insist on checking the signatures, Fedora users would have
> to pass --no-gpgchecks option to their "dnf5" commands to override the new
> default, or start signing their packages. As always security is not easy.
>
> Because this an old behavior and some users probably depend on it, enabling
> the verification for all cases looks like an abrupt change.
>
> I would would like to hear your opinion: Should DNF5 start verifying all
> packages? Should DNF5 keep ignoring signatures for out-of-repository packages?
> Or should rather narrow the verification skip to packages from a local file
> system? Any other options?
dnf should verify all packages unless the user turns this off.
I may have known checks were skipped for local files at one point, but
reading this today I was surprised by it. Especially in today's world
where instruction tell you to download the rpm and install it manually I
think it is important to default to being as safe as possible by
default.
I think we should:
* Switch the default local gpg check to true
- this removes surprise when you learn you've been installing
unchecked software for ... years? If they want it, it can be set
back to false by the user.
* Don't apply the local flag to rpms downloaded from a url by dnf.
Treat them as if they came from a repo.
- users (or me) don't know all the internal paths inside dnf, the
expectation is that a url isn't a local file.
Brian
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
