V Tue, Oct 31, 2023 at 04:32:09PM +0100, Fabio Valentini napsal(a): > On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar <ppi...@redhat.com> wrote: > > > > Hello, > > > > DNF5 got a complaint > > <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf > > update > > https://..."; skips verifying package signatures: > > > > $ sudo dnf update > > https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm > > > > https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm > > [...] > > Warning: skipped PGP checks for 2 package(s). > > > > A DNF5 developer confirmed that old DNF4 does not verify signatures too. > > The verification happens only for packages comming from a repository. Why > > DNF5 > > looks bad is because it actually prints the warning and thus keeps the user > > better informed. > > > > The nonchecking behavior probably exists to make installing local packages > > easy. If DNF5 would insist on checking the signatures, Fedora users would > > have > > to pass --no-gpgchecks option to their "dnf5" commands to override the new > > default, or start signing their packages. As always security is not easy. > > > > Because this an old behavior and some users probably depend on it, enabling > > the verification for all cases looks like an abrupt change. > > > > I would would like to hear your opinion: Should DNF5 start verifying all > > packages? Should DNF5 keep ignoring signatures for out-of-repository > > packages? > > Or should rather narrow the verification skip to packages from a local file > > system? Any other options? > > I wonder - how would DNF (4 or 5 doesn't matter) know how to check that at > all? > I mean, if the package isn't associated with a repository (like > installing an RPM directly), which GPG key should it even be checked > against? > Against any key already existing in an RPM database (rpm -qa | grep gpg-pubkey).
-- Petr
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
