Red Hat Bugzilla – Bug 460908
"Remember Auth" possible when installing unsigned RPM
Last modified: 2008-09-03 14:44:41 EDT
Well with recent PackageKit in Fedora 9 it is possible to Remember the Authentification (even checked by default) when installing an unsigned RPM.
Could be a potential security risk when the user does not double check when entering the password.
Are you sure? I get the chance to remember auth on the first stage install (trusted) and then get to re-authenticate without the chance to retain if the package is really unsigned. Can you describe what dialogs you see?
Created attachment 315600 [details]
well this is what i get when i try to install the flash player rpm from http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash&Lang=German&promoid=COYSZ
i noticed that "remember authorization" is checked by default, so when i enter my password and leave it checked, it should theoretically possible to install all local rpms without any further passwords, shouldn't it? i hope this answers your question.
You're seeing the first stage in the trusted dance (see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for more information) -- the second stage will no have a remember authentication step if the file does not have a recognised key.
good. sorry for bugging you.