On 9/20/16 10:00 AM, Burton, Ross wrote:
> 
> On 20 September 2016 at 09:15, Hongxu Jia <hongxu....@windriver.com
> <mailto:hongxu....@windriver.com>> wrote:
> 
>     -Upstream-Status: Submitted [Sent email to rpm-de...@rpm5.org
>     <mailto:rpm-de...@rpm5.org>]
>     +Upstream-Status: Rejected [Sent email to rpm-de...@rpm5.org
>     <mailto:rpm-de...@rpm5.org>]
>     +http://rpm5.org/community/rpm-devel/5655.html
>     <http://rpm5.org/community/rpm-devel/5655.html>
> 
> 
> Considering upstream has explicitly rejected this patch, why should we accept 
> it?
> 
> Ross
> 
> 

I'm confused by what the patch is doing looking at it.

It sounds like from the description there is a bug that without the change,
packages with (intentionally) bad checksums and such are allowed to be 
installed.

The bug is caused by a previous patch that enabled nosignature, etc -- because
the comparisons turned out to be backwards.

So really nosignature, etc is already in place -- it's just not working 
properly?

What was rejected upstream is the use of nosignature in any context.  RPM5
maintainer believes it is unwise and unsafe to permit uses to install packages
that have failed basic validation.  (I tend to agree.)  Similarly, even being
able to run queries and other operations against them may be dangerous as well.

If fixing the problem is as simple as reverting the other change -- and that
doesn't cause other problems elsewhere...  I'd rather see that.

--Mark
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to