Created attachment 600420 [details] screenshot of gpk-update-viewer Description of problem: When updating packages via gpk-update-viewer, if there's a package from an unsigned yum repo that needs to be updated, a vague and scary warning pops up saying a package is not from a trusted provider, but it does not say *which* package: The software is not signed by a trusted provider. Do not update this package unless you are sure it is safe to do so. Malicious software can damage your computer or cause harm. Are you *sure* you want to update this package? [ Close ] [ Force install ] At the moment, my system is trying to update 118 packages. I have no clue which one is not trusted based on the dialog. From trial and error, I discovered it's the chromium package from Tom 'spot' Callaway's repo: http://fedoraproject.org/wiki/Chromium Version-Release number of selected component (if applicable): gnome-packagekit-3.4.2-1.fc17.x86_64 How reproducible: every time Steps to Reproduce: 1. add a yum repo which is not signed, e.g., http://repos.fedorapeople.org/repos/spot/chromium-stable/fedora-chromium-stable.repo 2. run gpk-update-viewer Actual results: vague dialog does not tell you which packages are not trusted Expected results: more details in the dialog explaining which packages are possible problematic Additional info:
I see this was reported earlier in bug 569116 for Fedora 12, but it was never resolved and the bug eventually auto-closed as wontfix.
The cinnamon repo is another possible source of this error: http://repos.fedorapeople.org/repos/leigh123linux/cinnamon/fedora-cinnamon.repo Although, cinnamon was recently accepted in the regular Fedora repos so this may not be a good test case anymore.
I experienced this today on Fedora 17. In addition when denying an update of the somehow unsigned package, the entire update process stops with the odd message 'user declined interaction'. Name : gnome-packagekit Arch : x86_64 Version : 3.4.2 Release : 1.fc17 Size : 11 M
Same problem. This is a) putting systems at risk because many users will just click on "Force Install" to update, b) preventing users from filing bug reports on improperly/signed packaged software, and c) potentially preventing users from filing bugs on real malware. More information in the pop-up dialog is needed.
I had the same issue today. My updates came from 2 places fedora-updates (F17) and the pulp-project (pulp-v1-stable). The pulp repos file indicates that gpg is off so I assume that the packages here were the ones that software update was warning me about. Specifically: pulp-admin pulp-client-lib pulp-common pulp-consumer From this the pulp-v1-stable repo defined in/etc/yum.repos.d/fedora-pulp.repo [pulp-v1-stable] name=Pulp v1 baseurl=http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/fedora-$releasever/$basearch/ enabled=1 skip_if_unavailable=1 gpgcheck=0
I'm bumping the priority of this one up to medium before it falls through the cracks again. It's been going on for years and has some security implications, as eloquently stated on comment 4. All we need is to have the names of the unsigned package listed so the user can make an informed decision before hitting the "Force Install" button or abandoning the entire transaction.
Just wanted to say that this is still an issue in Fedora 17.
It has just happened to me. I don't know if I have to do a "force install".
If you are worried, you should run the update from the command line sudo yum update It will list the packages to be installed.
No, "if you're worried" is not a solution. As comment 4 clearly states, people will click "Force install" without being worried. If some malware got into their system through this loophole, who would look bad, the individual, or those who decided that such a detail-free dialogue was appropriate? This looks bad for Fedora when yet-to-be-converted people see it too, especially if they're tech-savvy. Confirmed still exists in Fedora 18.
I ran into this today on Fedora 18. I would like to see an option to skip the problematic package, if no other change in this dialog. It would be nice to see more information about the package (such as description, maybe a list of what other installed/to-be-installed package depend on it) as well as whether the package is signed at all and if so, who signed it. Without this information, this dialog is less-than-helpful.
Just experienced this (Fedora 17) and would like to add to the comments that are pointing this out as a potential security issue - simply adding the name of the package to the dialog would be a huge improvement, although personally I strongly agree with the idea of also allowing the user to skip the problem package(s) [comment 11].
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This is still a problem on F19
this is still a problem on F20
This comment was flagged a spam, view the edit history to see the original text if required.
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This already been reported against F20 and EL7 [comment 15 and 16]. Submit this should not be closed purely on the EOL of F19.
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.