Bug 531838
Summary: | Recent PK update will silently install insecure packages | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Antill <james.antill> |
Component: | PackageKit | Assignee: | Richard Hughes <richard> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | mclasen, rhughes, richard, security-response-team |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-01-05 09:51:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Antill
2009-10-29 16:08:05 UTC
This isn't a security bug. I've talked with Seth about this. I've talked to Matthias about this. It's crazy to prevent any installs if a single repo is not available. And from a real-life-point-of-view... when the last time fedora was available but not updates? I think you're making a mountain out of a molehill. What is the plan here? Will PK get some warning pop-up to notify users when some repo is disabled? Should this remain private for now, given what's already in public bug 529349? Well, we could pop up a warning, although I think that would get pretty irritating and we've been trying to reduce the number of popups on the desktop, not make them happen every few minutes. I really don't think this bug should be private, or even marked as a security bug. This reminds me of the security bug yum got dinged on last year. Essentially, we need to tell users and make sure they understand when things are inaccessible and that could be keeping them from getting security updates. Silently disabling and continuing just means they won't know what they are not getting. Opening this bug. This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping commit aa7a41e1e9bde3848885c07c9feb59325c229743 Author: Richard Hughes <richard> Date: Tue Jan 5 09:49:38 2010 +0000 yum: show a message to the user if the repo could not be reached. Fixes rh#531838 PackageKit-0.5.6-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/PackageKit-0.5.6-1.fc12 PackageKit-0.5.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |