Bug 73761 - RPM signature warning only shown for first package on command line
RPM signature warning only shown for first package on command line
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-09-10 09:18 EDT by Sander Steffann
Modified: 2007-04-18 12:46 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 07:32:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
different NOKEY/NOTTRUSTED warnings (1.04 KB, patch)
2002-09-19 11:15 EDT, Sander Steffann
no flags Details | Diff

  None (edit)
Description Sander Steffann 2002-09-10 09:18:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; Interlect CD)

Description of problem:
RPM signature warning only shown for first package on command line... Example:

rpm -Uvh *.rpm
warning: bind-9.2.1-9.i386.rpm: Header V3 DSA signature: NOKEY, key ID 897da07a
Preparing...                ########################################### [100%]
   1:bind-utils             ########################################### [  9%]
   2:bind                   ########################################### [ 18%]
etc...


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. rpm -Uvh 1.rpm 2.rpm etc.rpm


Actual Results:  One warning

Expected Results:  Multiple warnings

Additional info:
Comment 1 Jeff Johnson 2002-09-17 07:41:42 EDT
This is a feature, not a bug.

The warning is emitted only the 1st time that
a package signed with an unknown public key is
encountered.

There's little reason to spew yet further
warnings about the same problem, and there are
other means to determine whether one or more packages
are signed with an unknown key. For eample a simple
loop over "rpm -qp".
Comment 2 Sander Steffann 2002-09-18 17:16:08 EDT
I understand that there are other ways to check the signatures of packages, but 
I still think that in this case whe behaviour is misleading. When I install 
multiple packages, and I get a warning about the first package but not about 
the other ones, I (and I suspect many others) will assume that the signature of 
the other packages is good.

If you don't want to bother the user with multiple warnings, that is good. But 
in that case I think you should leave out the filename in the warning. Because 
there is a filename in the warning-message, it is only natural to think that 
the warning applies only to that file. When you change the warning to something 
like:
-> warning: one or more packages: Header V3 DSA signature: NOKEY, key ID 
897da07a
I think it will be much more clear to the user what you want to tell him.

So I still suggest one of these options:
1) show all warnings
2) don't use a filename in the warning

And I agree with you that showing multiple warnings about the same problem are 
not needed, so I would go for option 2.

Ofcourse these are only my suggestions to improve the RPM tool. If you don't 
want to use them, just re-close this bug/feature request and I won't bother you 
with it again. (But I still think you should go for option 2 :)

PS: If you think it is a good idea but don't have time to implement it, I can 
give it a try and send you a patch. Just let me know!
Comment 3 Jeff Johnson 2002-09-19 09:47:56 EDT
Yes the message is misleading, but rpm does not
(yet) have clear and succinct security policies,
only the mechanism to provide. In fact, a sober
security policy should provide a warning message
on each and every package for which the public
key is not found. The "feature" is an aid in
transition, as lots and lots of warning messages
that are ignored isn't exactly useful either.

If you want to take a look at the problem, I'd be grateful.
I *love* patches :-)
Comment 4 Sander Steffann 2002-09-19 11:15:21 EDT
Created attachment 76605 [details]
different NOKEY/NOTTRUSTED warnings
Comment 5 Sander Steffann 2002-09-19 11:18:39 EDT
I was thinking about something like this:
One message at WARNING level with the text "one or more packages" instead of 
the filename. Multiple messages at DEBUG level with the actual filenames 
included.

Small untested patch attached.
Comment 6 Thomas Dodd 2002-09-20 17:47:52 EDT
I like sander's idea.

Perhaps better would be to say:
"Use -vv option for details."
So the user knows how to fing the details.
Comment 7 Jeff Johnson 2006-04-04 07:32:57 EDT
rpm cannot train users how to ascertain their security needs through
better error messages.

Importing the pubkey makes the issue of spewing for all or 1st found moot.

The decision on whether the pubkey is trusted sufficiently to be imported
remains with the user.

Note You need to log in before you can comment on or make changes to this bug.