Bug 968529
Summary: | yum-cron does not install packages that need new keys | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | yum | Assignee: | Packaging Maintenance Team <packaging-team-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | admiller, bill-bugzilla.redhat.com, ffesti, firas.alkafri, jzeleny, packaging-team-maint, tim.lauridsen |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-09-03 15:14:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2013-05-29 20:05:11 UTC
Since yum-cron does not run interactively we can't ask the user if the key is okay, so the key is not imported. Had we set opts.assumeyes=True the key would get imported unconditionally, but that has obvious security implications. Adding assumeyes option to yum-cron.conf is trivial, but I'd like to hear more comments on this first. *** Bug 983136 has been marked as a duplicate of this bug. *** I tried adding: [base] assumeyes = True to /etc/yum/yum-cron.conf, but that didn't help. Is that the right option? We have to also add some glue code to yum-cron.py.. and maybe also change the option name to something more meaningfull, eg "import_new_keys=True"? Yes, a better name would be good. Is there anything I can do to help get this fixed? Sorry, this was fixed upstream and released as 3.4.3-108 with other changes.. Basically we just apply everything in [main] section to override yum config, so since -108, you can just use what you wrote in comment #3. There's a comment in yum-cron.conf. Okay, so I'm just waiting for this to make it to F19 then. @Orion: I see there's a build in koki: https://koji.fedoraproject.org/koji/buildinfo?buildID=460846 doesn't look like updates-testing has been requested yet. FYI, you can upgrade with: sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-3.4.3-108.fc19.noarch.rpm sudo rpm -Uhv http://kojipkgs.fedoraproject.org//packages/yum/3.4.3/108.fc19/noarch/yum-cron-3.4.3-108.fc19.noarch.rpm for testing purposes. I don't think I'll use it myself, in case the repo gets compromised. I'd love to see 'assumeyes = 7d' or some such thing in the future to accept new keys after some reasonable length of time for humans to detect a repo compromise; both are risks, it's just a matter of choosing the best compromise for a given system. So, looks like this in f19 but not f20? yum.noarch 3.4.3-111.fc19 @updates yum.noarch 3.4.3-106.fc20 @anaconda That's a broken upgrade path. This seems to be broken again with yum-3.4.3-153.fc21.noarch Or maybe not. Today it worked. |