Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a):
Hello,DNF5 got a complaint <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf update https://..."; skips verifying package signatures: $ sudo dnf update https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm [...] Warning: skipped PGP checks for 2 package(s). A DNF5 developer confirmed that old DNF4 does not verify signatures too. The verification happens only for packages comming from a repository. Why DNF5 looks bad is because it actually prints the warning and thus keeps the user better informed. The nonchecking behavior probably exists to make installing local packages easy. If DNF5 would insist on checking the signatures, Fedora users would have to pass --no-gpgchecks option to their "dnf5" commands to override the new default, or start signing their packages. As always security is not easy. Because this an old behavior and some users probably depend on it, enabling the verification for all cases looks like an abrupt change. I would would like to hear your opinion: Should DNF5 start verifying all packages? Should DNF5 keep ignoring signatures for out-of-repository packages? Or should rather narrow the verification skip to packages from a local file system? Any other options?
Or maybe verify what it can and report the packages which can't be verified? You can notice that I was actually installing singed packages.
But I would (probably) not mind to explicitly specify `--no-gpgcheck`. I still would swear this used to be needed, that is why I try to install the signed packages.
Vít
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
