Bug 673088 - yum - change of default gpg signature check requirement
Summary: yum - change of default gpg signature check requirement
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: yum
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Seth Vidal
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-27 12:02 UTC by jurek.bajor
Modified: 2014-01-21 23:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-24 21:08:30 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description jurek.bajor 2011-01-27 12:02:11 UTC 
Description of problem:

Fedora 15 version has a change in yum that doesn't check for gpg signatures for
local packages by default.
Yum still checks gpg signatures for repo packages.
It is configurable.

This change is not safe and wise.
It should check for all packages, but be configurable for local ones, that is
the other way around. The sys admin should make that conscious decision.

Version-Release number of selected component (if applicable):
yum

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 jurek.bajor 2011-01-27 12:10:56 UTC 
http://lists.fedoraproject.org/pipermail/users/2011-January/391463.html
Comment 2 Tim Lauridsen 2011-01-27 16:35:41 UTC 
1. you need root access to install a local rpm
2. most of the time the local rpms you are installing are not signed at all, so there is no signature to validate.
3. rpm -ivh foo.rpm don't give you any problems

So why should yum foo.rpm force you to type --nogpgcheck every time.

I agree it is a potential security risk to install some rpm from an untrusted place, but i don't see that forcing the user to use --nogpgcheck every time, reduce the risk.
Comment 3 Andre Robatino 2011-01-27 18:10:15 UTC 
Actually, I often download RPMs from my enabled repos that need to be up/downgraded several times, simply to save bandwidth, and appreciate that yum (used to) check the signature for me. Rpm can work with either local or remote rpms ("rpm -ivh http://foo.com/foo.rpm", for example) and doesn't check either way, so is consistent in that regard. I think it makes more sense for yum to be consistent as well in terms of behaving the same regardless of the source of the package. Local rpms that aren't signed probably aren't installed very often, and when they are it's often because the packager is neglecting to sign them, as they should (for example RealPlayer, or more recently Skype). Not doing the local signature check takes the pressure off them to package properly.
Comment 4 James Antill 2011-02-04 14:54:39 UTC 
 Actually, yum is consistent. "yum install http://example.com/foo.rpm" is considered "local" and is thus. checked via. the new config. method. The difference is between "local" and "repo." packages.

 For your usecase where you are doing upgrades/downgrades I'd suggest you create a repo. with those packages in it (maybe using the "yum-plugin-local" package, maybe doing something else).
Note You need to log in before you can comment on or make changes to this bug.