Red Hat Bugzilla – Bug 502277
unsigned packages should be considered broken for --skip-broken
Last modified: 2014-01-21 18:09:17 EST
Description of problem:
A couple of unsigned packages have crept into rawhide recently. I just
tried to ignore them by using --skip-broken and got the exact same errors
with and without the --skip-broken option. An unsigned package in a repo
configured to require signed packages seems (to me anyway) like something
that should fall into the category "broken", it would be convenient if
--skip-broken skipped them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. see above
--skip-broken is about package sets that don't depsolve, so we remove them from the transaction at that point.
From the technical point of view the yum code basically does:
1. parse command line
4. run transaction
...if a package isn't signed, when the repo. says it should be, we only find out at #4 ... which is really late, so it would be much harder to do this.
Just because it is hard to do, doesn't mean it isn't a good idea.
Shucks, you just need to add --exclude arguments for the unsigned
packages and loop back to step #1. That's what I do manually :-).
i think that --skip-broken is the wrong option for installing unsigned packages.
if you what to force it you can use --nogpgcheck, but that will skip the gpg check for all packages.
One of the problems with skipping packages is that you have to go back to 2. after you have skip packages, because the skip packages can break the whole transaction.
it is not the normal usage case that a repo with gpgcheck=1, has unsigned packages, it's a error in the repo. it is only because the fedora repo has gpgcheck=1, but the packages in the fedora is rawhide and the normal rawhide repo has gpgcheck=0
a pkg failing the gpgcheck is a security issue, not a depsolving issue.
These two items should not ever be confused with one another.
*** Bug 502635 has been marked as a duplicate of this bug. ***
I agree that it is a security issue... however... the other packages are signed.... so why not install those ?
I'm not sure anyone actually wanting to use --skip-broken really cares
why the package is broken or thinks it is useful to distinguish somehow
between broken due to dependencies or broken due to being unsigned (or
broken for some other reason if there are others that might crop up).
Maybe the option name should be changed to:
The error messages yum outputs are ultimately intended for two different audiences:
1. the user themselves
2. the people who will help support the user and/or debug the problem.
A user not reporting broken deps is an issue but it is not security critical.
A user not reporting an unsigned pkg in a repo that should be signed is CRITICAL.
You can ask to call it what you want - but an unsigned pkg in a signed repo is not 'broken' in the sense we're using it here, it is an emergency.