Bug 1297087
Summary: | [RFE] Implementation of localpkg_gpgcheck option for checking gpg signature for local packages or packages specified by URL | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Graham Cole <diakkaml> | |
Component: | dnf | Assignee: | Jaroslav Mracek <jmracek> | |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | low | Docs Contact: | ||
Priority: | low | |||
Version: | 25 | CC: | emailtoflorian, fedora, jmracek, jsilhan, lantw44, mluscon, packaging-team-maint, pnemade, vmukhame | |
Target Milestone: | --- | Keywords: | Reopened, Security, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1362452 (view as bug list) | Environment: | ||
Last Closed: | 2016-10-04 18:06:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1362452 |
Description
Graham Cole
2016-01-09 00:20:36 UTC
We'll take a look. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. How can a security bug, which also is a regression to yum AFAIK, have low severity and low priority? This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. According to my investigation, the behavior of DNF with gpgcheck of local messages is identical to YUM. Please let me know if I overlooked something. Thank you very much for report of documentation difference from preset dnf behavior. We will change it according to current behavior. We know that security is important part of package distribution, but there is supported way - repository with only signed rpms. Repositories also solve a problem of gpg-keys distribution and checksum of metadata. To create repository, createrepo_c package can be used and repositories can be remote as well local. With gpgcheck for local packages or remote packages outside of repository many users can have difficulties with new behavior of DNF, therefore I think due to existing solution that this bug report I can close a notbug. If you will experience any further problem, please report it. The yum has an option 'localpkg_gpgcheck' that provides requested behavior. It change the situation. The option 'localpkg_gpgcheck' was already implemented in DNF, but it is not in documentation. It is going to be change by new pull-request. https://github.com/rpm-software-management/dnf/pull/554 If you want to use gpgcheck for local packages, you have to add "localpkg_gpgcheck=1" into /etc/dnf/dnf.conf file. Have a fun with it. |