Bug 155425
Summary: | fedora keys should not be downloaded | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Welss <martin.welss> |
Component: | fedora-release | Assignee: | Elliot Lee <sopwith> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | herrold, katzj, kyrsjo, marius.andreiana, roozbeh, wtogami |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-05-22 21:38:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 136450 |
Description
Martin Welss
2005-04-20 07:52:04 UTC
They are: rpm --import /usr/share/doc/fedora-release-*/RPM-GPG-KEY* But they should be automatically imported at install time (or during first boot?) We should change fedora-release to specify the path to the key... which probably is going to mean moving them out of just being in /usr/share/doc/fedora-release-version to somewhere more predictable (without the version). What specific actions in which packages are needed to resolve this bug? If someone doesn't use up2date, is there anything that does an auto-import of the keys? yum auto-imports the keys, yes. if a repo has gpgkey=url://to/key (file:// urls allowed) then if/when a package from that repo is downloaded and a gpg key verification is needed then the key will be downloaded/imported. /usr/share/doc is also bad of a location because they can be excluded from installation with rpm --excludedocs. So this is really two fixes: * yum repo definitions shipped in FC should have gpgkey=url:// point at a local file rather than remote file. * /etc/somewhere is a logical place to put these keys. up2date ships its own copy of the Fedora keys in /usr/share/rhn/ Nothing should rely on anything in /usr/share/doc. Elliot do you want to go ahead with the suggestions in Comment #4 and #5? That is 1) Move the keys in fedora-release into a non-versioned and non-doc directory, and 2) point yum to those local files rather than a network URL for downloading keys. already fixed in CVS. *** Bug 157144 has been marked as a duplicate of this bug. *** Unless I am totally misunderstanding this situation, this needs fixing in both fedora-release and yum. fedora-release needs the key files to exist somewhere outside of %doc dirs, while yum needs gpgkeys= to local file URLs to find them. Warren, I guess you are mistaken. yum repository data is actually in the fedora-release package, as far as I know. OK, yum doesn't need changing, but fedora-release does. FC4-0520.0 candidate tree contains fedora-release-3.92-1. /etc/yum.repos.d/ still contains gpgkey=http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras http://cvs.fedora.redhat.com/viewcvs/fedora-release/?root=fedora The .repo files in CVS do use file:// URLs, but they still install keys using %doc which is wrong. rpm --excludedocs would break this, which is supposed to be a supported way of using the operating system. The RPM GPG keys should be installed anywhere but %doc. up2date installs another copy into /usr/share/rhn. Where should we put the fedora-release copy? Under /usr/share/doc is fine. Stop reopening this bug already. Would it be wrong if I moved it out of /usr/share/doc? Please don't depend on anything in /usr/share/doc... After subsequent discussion it was decided to move RPM-GPG-KEY* into an unchanging named directory. /etc/pki/rpm-gpg seems appropriate. This is now checked into CVS for fedora-release-4-1. |