Red Hat Bugzilla – Bug 149340
Network queries for rpm signatures are a privacy risk, and a performance problem
Last modified: 2007-11-30 17:11:00 EST
Description of problem:
Network queries for rpm signatures are a privacy risk since they can
inform an unknown third party of packages on your system.
Also, the performance of "rpm -qa" and "rpm -e" now truly sucks unless
"--nosignature" is added.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. rpm -qa
2. rpm -qa --nosignature
ellson@ellson:~> time rpm -qa >/dev/null
ellson@ellson:~> time rpm -qa --nosignature >/dev/null
rpm needs explicit user permission before making any network access
You have the following choices for the privacy issue,
change your configuration to satisfy your needs:
1) rpm --import all pubkeys used to sign packages.
2) disable the mechanism by adding to ~/.rpmmacros or /etc/rpm/macros
(create if not already there):
Add a differenet, possibly local, hkp server there if you want.
Yes, a network timeout during rpm -qa is pathetically slow. You
have the following choice (in addition to the aformentioned)
3) Disable signature verification during queries by adding to
~/.rpmmacros or /etc/rpm/macros:
In addition, since rpm needs to choose one default value
for distribution, feel free to bring me consensus on
what that default should be. What is in rpm-4.1.1-1
is what I believe is Right for the majority of FC4 users,
but I make no claim at prescience or Godliness, I'm perfectly
willing to change rpm configuration as needed.