Re: [CentOS] rpm libuser-devel is not signed
'yum update' runs into the following error message. Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed I got this too, there's two ways around it: 1) Wait until the package is signed and then update. 2) Run: yum update --nogpgcheck Other workarounds for this particular issue have just been suggested here: http://lists.centos.org/pipermail/centos/2011-April/110547.html http://lists.centos.org/pipermail/centos/2011-April/110551.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 04/21/2011 01:04 AM, Mathieu Baudier wrote: 'yum update' runs into the following error message. Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed I got this too, there's two ways around it: 1) Wait until the package is signed and then update. 2) Run: yum update --nogpgcheck Other workarounds for this particular issue have just been suggested here: http://lists.centos.org/pipermail/centos/2011-April/110547.html http://lists.centos.org/pipermail/centos/2011-April/110551.html This issue has been taken care of on all the CentOS mirrors about 10 hours ago. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 04/21/2011 09:26 AM, Johnny Hughes wrote: Other workarounds for this particular issue have just been suggested here: http://lists.centos.org/pipermail/centos/2011-April/110547.html http://lists.centos.org/pipermail/centos/2011-April/110551.html I find it strange that people are making such recommendations. A non verifyable signature is a MASSIVE deal. Working 'around' that is to stop doing what you are doing, and not do any package centric operation till the issue is fixed and resolved in an acceptable manner. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 04/21/2011 12:49 AM, Ben McGinnes wrote: 2) Run: yum update --nogpgcheck please dont do that :( - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On Thu, 21 Apr 2011, Karanbir Singh wrote: On 04/21/2011 09:26 AM, Johnny Hughes wrote: Other workarounds for this particular issue have just been suggested here: http://lists.centos.org/pipermail/centos/2011-April/110547.html http://lists.centos.org/pipermail/centos/2011-April/110551.html I find it strange that people are making such recommendations. A non verifyable signature is a MASSIVE deal. Working 'around' that is to stop doing what you are doing, and not do any package centric operation till the issue is fixed and resolved in an acceptable manner. It's all too often the advice you'll see. On Spacewalk, the standard response to dealing with unsigned (or signed with an unimported key) is to disable all gpg checks. It's cringeworthy, and wrong on so many levels. jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
Other workarounds for this particular issue have just been suggested here: http://lists.centos.org/pipermail/centos/2011-April/110547.html http://lists.centos.org/pipermail/centos/2011-April/110551.html I find it strange that people are making such recommendations. A non verifyable signature is a MASSIVE deal. Working 'around' that is to stop doing what you are doing, and not do any package centric operation till the issue is fixed and resolved in an acceptable manner. Sorry, but not everybody is on production machines. Since the OP could not analyze himself the error message, one could safely assume he is not dealing with critical production environments. Maybe he was just told: install quickly this CentOS in VirtualBox, just to make sure our app is compatible, and in that case the sooner the better. My advice and those of others where underlying the security risk. The one of Akemi seems pretty safe (not installing the update). To put it shortly: Freedom, as in free software, is about doing whatever you want. This being say, I do agree that having a non signed package is a MASSIVE deal. Do we have more details about what's going on here? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On Thu, 21 Apr 2011, Mathieu Baudier wrote: Sorry, but not everybody is on production machines. Since the OP could not analyze himself the error message, one could safely assume he is not dealing with critical production environments. Maybe he was just told: install quickly this CentOS in VirtualBox, just to make sure our app is compatible, and in that case the sooner the better. My advice and those of others where underlying the security risk. The one of Akemi seems pretty safe (not installing the update). To put it shortly: Freedom, as in free software, is about doing whatever you want. Not updating is entirely sensible and sounds like the best default position. Installing a package you'd expect to be signed when it isn't signed should ring alarm bells. Freedom includes being free to make poor decisions. jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 04/21/2011 12:26 PM, Mathieu Baudier wrote: Sorry, but not everybody is on production machines. Security and integrity of an install is not optional, wherever you might be. Imho anyway. Maybe he was just told: install quickly this CentOS in VirtualBox, just to make sure our app is compatible, and in that case the sooner the better. My advice and those of others where underlying the security risk. The one of Akemi seems pretty safe (not installing the update). If there is reason to suspect a mirror or installation is compromised, one should - again imho - not be doing any operations against that. To put it shortly: Freedom, as in free software, is about doing whatever you want. thats true, but there is also a sense of responsibility that comes with that advice that is handed out and who / where its being handed out. One could potentially assume that the people on this list would know what they are talking about and would only advice based on whats considered best practices. The fact that the OP didnt know what was going on would be a good sign to assume that he was looking for people who did know what was going on eg. Telling people to jump off a cliff, just because you can isnt nice. Freedom or otherwise. This being say, I do agree that having a non signed package is a MASSIVE deal. Do we have more details about what's going on here? yes, a package was released, unsigned, and has been fixed. ( and 4 more tests added to the release process to make sure that this does not happen again; or atleast reduce the chance of this going out ). - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On Thu, 21 Apr 2011, Karanbir Singh wrote: yes, a package was released, unsigned, and has been fixed. ( and 4 more tests added to the release process to make sure that this does not happen again; or atleast reduce the chance of this going out ). And if people stick with the sane practice of only trusting signed packages, this is quickly caught and the only cost is a short delay while updated packages are pushed out. If people think that disabling gpg checking is a good idea, you risk this finding its way into their yum.conf. That's exactly what you've seen amongst some spacewalk users. jh ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
Not updating is entirely sensible and sounds like the best default position. Installing a package you'd expect to be signed when it isn't signed should ring alarm bells. I agree that my first answer was probably wrong, even with all disclaimers and warnings. I thought of a technical way (--nogpgcheck) to solve the issue, whereas the right answer was definitely procedural (as you point out, not updating, what I would have done on my own systems). I apologize, but I did my best... Freedom includes being free to make poor decisions. I fully agree with you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 04/21/2011 08:34 AM, Mathieu Baudier wrote: Not updating is entirely sensible and sounds like the best default position. Installing a package you'd expect to be signed when it isn't signed should ring alarm bells. I agree that my first answer was probably wrong, even with all disclaimers and warnings. I thought of a technical way (--nogpgcheck) to solve the issue, whereas the right answer was definitely procedural (as you point out, not updating, what I would have done on my own systems). I apologize, but I did my best... Freedom includes being free to make poor decisions. I fully agree with you. Maybe this would work out: yum --nogpgcheck update libuser-devel then you can update everything else later with gpg on. Although, like I said, this particular issue has now been corrected. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
Johnny Hughes wrote: On 04/21/2011 08:34 AM, Mathieu Baudier wrote: Not updating is entirely sensible and sounds like the best default position. Installing a package you'd expect to be signed when it isn't signed should ring alarm bells. I agree that my first answer was probably wrong, even with all disclaimers and warnings. snip Maybe this would work out: yum --nogpgcheck update libuser-devel then you can update everything else later with gpg on. I *like* that answer. And command line only, so the next time you go to yum update, it'll get the fixed package. Although, like I said, this particular issue has now been corrected. And *very* quickly. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On Thursday, April 21, 2011 07:56:27 AM John Hodrien wrote: If people think that disabling gpg checking is a good idea, you risk this finding its way into their yum.conf. That's exactly what you've seen amongst some spacewalk users. FWIW, there are some out there who don't even think unsigned packages are a problem. As an extreme example of this, recently I saw on LinuxToday where there was a thread in an archlinux list about signed packages; most of the devs didn't consider them a priority. At all. One reason arch won't be in production here any time soon. Unless you know exactly what you are doing and the full ramifications of doing it you should never disable gpgcheck, since mirrors can be hacked. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rpm libuser-devel is not signed
Hello, 'yum update' runs into the following error message. Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed regards Olaf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rpm libuser-devel is not signed
On 21/04/11 5:26 AM, Olaf Mueller wrote: Hello, 'yum update' runs into the following error message. Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed I got this too, there's two ways around it: 1) Wait until the package is signed and then update. 2) Run: yum update --nogpgcheck Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos