Bug 673088

Summary: yum - change of default gpg signature check requirement
Product: [Fedora] Fedora Reporter: jurek.bajor
Component: yumAssignee: Seth Vidal <skvidal>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ffesti, james.antill, maxamillion, pmatilai, robatino, tla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-24 21:08:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description jurek.bajor 2011-01-27 12:02:11 UTC 
Description of problem:

Fedora 15 version has a change in yum that doesn't check for gpg signatures for
local packages by default.
Yum still checks gpg signatures for repo packages.
It is configurable.

This change is not safe and wise.
It should check for all packages, but be configurable for local ones, that is
the other way around. The sys admin should make that conscious decision.

Version-Release number of selected component (if applicable):
yum

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 jurek.bajor 2011-01-27 12:10:56 UTC 
http://lists.fedoraproject.org/pipermail/users/2011-January/391463.html
Comment 2 Tim Lauridsen 2011-01-27 16:35:41 UTC 
1. you need root access to install a local rpm
2. most of the time the local rpms you are installing are not signed at all, so there is no signature to validate.
3. rpm -ivh foo.rpm don't give you any problems

So why should yum foo.rpm force you to type --nogpgcheck every time.

I agree it is a potential security risk to install some rpm from an untrusted place, but i don't see that forcing the user to use --nogpgcheck every time, reduce the risk.
Comment 3 Andre Robatino 2011-01-27 18:10:15 UTC 
Actually, I often download RPMs from my enabled repos that need to be up/downgraded several times, simply to save bandwidth, and appreciate that yum (used to) check the signature for me. Rpm can work with either local or remote rpms ("rpm -ivh http://foo.com/foo.rpm", for example) and doesn't check either way, so is consistent in that regard. I think it makes more sense for yum to be consistent as well in terms of behaving the same regardless of the source of the package. Local rpms that aren't signed probably aren't installed very often, and when they are it's often because the packager is neglecting to sign them, as they should (for example RealPlayer, or more recently Skype). Not doing the local signature check takes the pressure off them to package properly.
Comment 4 James Antill 2011-02-04 14:54:39 UTC 
 Actually, yum is consistent. "yum install http://example.com/foo.rpm" is considered "local" and is thus. checked via. the new config. method. The difference is between "local" and "repo." packages.

 For your usecase where you are doing upgrades/downgrades I'd suggest you create a repo. with those packages in it (maybe using the "yum-plugin-local" package, maybe doing something else).