Bug 155425 - fedora keys should not be downloaded
Summary: fedora keys should not be downloaded
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-release (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
high
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Keywords: Security
: 157144 (view as bug list)
Depends On:
Blocks: FC4Blocker
TreeView+ depends on / blocked
 
Reported: 2005-04-20 07:52 UTC by Martin Welss
Modified: 2014-01-21 22:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-22 21:38:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Martin Welss 2005-04-20 07:52:04 UTC
Description of problem:
the key to verify packages of fedora and fedora-extras should be part of the
installation iso-image to prevent spoofing

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.fedora core just installed 
2.yum install xloxkmore
3. ... yum downloads asks to import the key ....

  
Actual results:


Expected results:


Additional info:

Comment 1 Marius Andreiana 2005-04-21 16:20:08 UTC
They are:
rpm --import /usr/share/doc/fedora-release-*/RPM-GPG-KEY*

But they should be automatically imported at install time (or during first boot?)

Comment 2 Jeremy Katz 2005-04-21 17:44:27 UTC
We should change fedora-release to specify the path to the key... which probably
is going to mean moving them out of just being in
/usr/share/doc/fedora-release-version to somewhere more predictable (without the
version).  

Comment 3 Elliot Lee 2005-05-11 23:00:08 UTC
What specific actions in which packages are needed to resolve this bug? If
someone doesn't use up2date, is there anything that does an auto-import of the keys?

Comment 4 Seth Vidal 2005-05-11 23:50:53 UTC
yum auto-imports the keys, yes.

if a repo has gpgkey=url://to/key (file:// urls allowed) then if/when a package
from that repo is downloaded and a gpg key verification is needed then the key
will be downloaded/imported.

Comment 5 Warren Togami 2005-05-16 08:48:23 UTC
/usr/share/doc is also bad of a location because they can be excluded from
installation with rpm --excludedocs.

So this is really two fixes:
* yum repo definitions shipped in FC should have gpgkey=url:// point at a local
file rather than remote file.
* /etc/somewhere is a logical place to put these keys.

Comment 6 Warren Togami 2005-05-19 06:43:52 UTC
up2date ships its own copy of the Fedora keys in /usr/share/rhn/  Nothing should
rely on anything in /usr/share/doc.

Elliot do you want to go ahead with the suggestions in Comment #4 and #5?  That
is 1) Move the keys in fedora-release into a non-versioned and non-doc
directory, and
2) point yum to those local files rather than a network URL for downloading keys.

Comment 7 Elliot Lee 2005-05-19 13:53:54 UTC
already fixed in CVS.

Comment 8 Miloslav Trmač 2005-05-20 14:30:56 UTC
*** Bug 157144 has been marked as a duplicate of this bug. ***

Comment 9 Warren Togami 2005-05-22 00:05:12 UTC
Unless I am totally misunderstanding this situation, this needs fixing in both
fedora-release and yum.  fedora-release needs the key files to exist somewhere
outside of %doc dirs, while yum needs gpgkeys= to local file URLs to find them.


Comment 10 Roozbeh Pournader 2005-05-22 10:39:39 UTC
Warren, I guess you are mistaken. yum repository data is actually in the
fedora-release package, as far as I know.

Comment 11 Warren Togami 2005-05-22 11:06:28 UTC
OK, yum doesn't need changing, but fedora-release does.

FC4-0520.0 candidate tree contains fedora-release-3.92-1.
/etc/yum.repos.d/ still contains
gpgkey=http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras

http://cvs.fedora.redhat.com/viewcvs/fedora-release/?root=fedora
The .repo files in CVS do use file:// URLs, but they still install keys using
%doc which is wrong.  rpm --excludedocs would break this, which is supposed to
be a supported way of using the operating system.

The RPM GPG keys should be installed anywhere but %doc.  up2date installs
another copy into /usr/share/rhn.  Where should we put the fedora-release copy?

Comment 12 Elliot Lee 2005-05-22 21:38:39 UTC
Under /usr/share/doc is fine. Stop reopening this bug already.

Comment 13 Warren Togami 2005-05-22 21:40:21 UTC
Would it be wrong if I moved it out of /usr/share/doc?  Please don't depend on
anything in /usr/share/doc...


Comment 14 Warren Togami 2005-05-25 09:13:11 UTC
After subsequent discussion it was decided to move RPM-GPG-KEY* into an
unchanging named directory.  /etc/pki/rpm-gpg seems appropriate.  This is now
checked into CVS for fedora-release-4-1.


Note You need to log in before you can comment on or make changes to this bug.