X-Git-Url: https://mattmccutchen.net/utils/utils.git/blobdiff_plain/6ac3cd7b06e88ca0153a8a54d2a28df2c7336cfc..4f0f2877faf1a7d524ffd5557bfc38bf60e9c493:/rpmconf-matt?ds=inline

diff --git a/rpmconf-matt b/rpmconf-matt
index 4cb5093..7f28ad7 100755
--- a/rpmconf-matt
+++ b/rpmconf-matt
@@ -3,14 +3,14 @@
 
 # SECURITY NOTICE: If your system is missing the original version (.rpmbase) of
 # a configuration file you have modified, rpmconf-matt will automatically get it
-# by downloading the original package with "dnf download", which (IIUC) does not
-# check the package's GPG signature even if dnf is normally configured to do so.
-# (TODO: File an upstream bug about this?)  rpmconf-matt checks the digest of
+# by downloading the original package with "dnf download", which does not
+# check the package's GPG signature even if dnf is normally configured to do so
+# (https://bugzilla.redhat.com/show_bug.cgi?id=1879791).  rpmconf-matt checks the digest of
 # the file before using it, but a fuzzed package might be able to compromise
 # your system during extraction.  This is less of a problem if your repository
 # metadata is integrity protected (e.g., by SSL on the metalink or repomd)
-# because "dnf download" checks the digest of the downloaded package before
-# exiting successfully.
+# because "dnf download" refuses to save a package whose digest does not match
+# the metadata.
 
 # Known blockers to submission to Fedora: Basically removing assumptions specific to my setup.
 # - Decide how to name it vs. existing "rpmconf" in Fedora