On Thu, Nov 2, 2023 at 1:33 PM Brian C. Lane <b...@redhat.com> wrote:
> > I think we should: > > * Switch the default local gpg check to true > - this removes surprise when you learn you've been installing > unchecked software for ... years? If they want it, it can be set > back to false by the user. > > * Don't apply the local flag to rpms downloaded from a url by dnf. > Treat them as if they came from a repo. > - users (or me) don't know all the internal paths inside dnf, the > expectation is that a url isn't a local file. This seems like a reasonable default. Does it also make sense to add some CLI UI niceties that: * Let's the user know this check may be skipped with "--nogpgcheck" with a brief explanation of the risk * Allow the user to continue the transaction with only the specific package not being checked, default no -- Jonathan Steffan
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue