140200 – yum attempts to gpgcheck a package that is unsigned

Bug 140200 - yum attempts to gpgcheck a package that is unsigned

Summary: yum attempts to gpgcheck a package that is unsigned

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	yum
Sub Component:
Version:	3
Hardware:	athlon
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeremy Katz
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-20 22:05 UTC by james
Modified:	2014-01-21 22:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-11-21 17:37:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description james 2004-11-20 22:05:41 UTC

From Bugzilla Helper:
User-Agent: Opera/7.54 (X11; Linux i686; U)  [en]

Description of problem:
If yum is configured with "gpgcheck=1" and then attempts to install 
or update a package that is unsigned, it fails with "unsigned package 
<path>".


Version-Release number of selected component (if applicable):
yum-2.1.11-4

How reproducible:
Always

Steps to Reproduce:
1. configure /etc/yum.conf with "gpgcheck=1"
2. yum update <some-unsigned-package>
3.
    

Actual Results:  unsigned package <path>
yum dies

Expected Results:  yum should generate a warning about the package 
not being signed, but should continue.

yum should NEVER "bail", "punt", or "quit" because of a recoverable 
error or, especially, because of a warning condition.

Additional info:

Comment 1 Seth Vidal 2004-11-21 17:37:53 UTC

1. yum doesn't die, it exits with an error message.
2. an unsigned package when gpgcheck=1 is an error. If it was not then
a  person who broke into a repository could simply put an unsigned rpm
into the repository and 'boom' they own all those machines.

this is not a bug.

Note You need to log in before you can comment on or make changes to this bug.