> > > We can live with rpm verification disabled too.
> >
> >
> > This is a terrible idea from a security perspective.
>
> In embedded linux world, production systems are rarely if ever updated from
> package feeds by a package manager. Rather, the whole root filesystem gets
> overwritten from an image file. Package manager is used to compose that root
> filesystem from local packages in a controlled CI environment (where
> package-level security isn't needed), and to allow developers to install
> additional items into a running system on their desks used for development
> and testing (where there's no need to sign packages either).
>
> So Yocto can accept that regression in package security, we'll make sure to
> place warnings where appropriate.
Another option would be to use the host system’s RPM for verifying the packages.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1826442158
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2414/1826442...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
