On Wed, Nov 01, 2023 at 10:49:36AM -0700, Kevin Fenzi wrote: > On Wed, Nov 01, 2023 at 11:05:33AM -0400, Christopher wrote: > > On Tue, Oct 31, 2023 at 7:50 PM Kevin Fenzi <ke...@scrye.com> wrote: > > > > > > FWIW, from what I can recall, yum used to check all packages, but this > > > resulted in tons of people complaining because they did not want it to > > > check their local packages. So, a localpkg_gpgcheck option was added and > > > set to false. dnf4 still has this option. > > > > I wasn't aware of that change in behavior. I can't find that option > > documented in the man page for dnf or any other readily available docs > > about dnf in my installation, or present in my dnf.conf file. I don't > > Odd. It's in the dnf.conf man page here in rawhide: > > "localpkg_gpgcheck > boolean > > Whether to perform a GPG signature check on local packages > (packages in a > file, not in a repository). The default is False. This option > is subject to > the active RPM security policy (see gpgcheck for more details). > " > > Looks like it was added to yum 13 years ago: > https://github.com/rpm-software-management/yum/commit/290933489b1aaeb1017d10fb59ccf3231e309115
This is pretty badly documented. I'm pretty sure that most people will not guess that any URL qualifies as "in a file". The approach to security nowadays is much stricter than 13 years ago… I think we should revisit this decision. > > remember anybody ever complaining, certainly not "tons of people". > > This was 13-14 years ago. > > > Using local RPMs is a pretty rare thing. I can't imagine too many > > people complaining about this. It was never much of a burden, and to > > the extent that it was, it was a burden that was a worthwhile tradeoff > > for increased security. > > I'm just relaying the history here... > > > It's also not clear when this option would take effect. Would it take > > effect if I did `dnf install /path/to/local/file` or just when I did > > no, because that looks up that file in your repos and downloads the repo > version of the package. > > > `dnf localinstall /path/to/local/file`? What if I did `dnf My vote would be: 'dnf install /path/to/file' default to warn-but-allow (*) 'dnf install https://some.url/' default to an enforcing check For files outside of a repo, the current set of keys registered with rpm should be used. A valid-signature-with-unknown-key must be rejected when the check is enforcing. If such fine-grained policy is not possible, then I think defaulting to requiring explicit --nogpgcheck would be better than status quo. (*) I think that 99% of the time when you're doing a local install like that, the package was built by the user and it's convenient to skip the check. Zbyszek _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
