# SECURITY NOTICE: If your system is missing the original version (.rpmbase) of
# a configuration file you have modified, rpmconf-matt will automatically get it
-# by downloading the original package with "dnf download", which (IIUC) does not
-# check the package's GPG signature even if dnf is normally configured to do so.
-# (TODO: File an upstream bug about this?) rpmconf-matt checks the digest of
+# by downloading the original package with "dnf download", which does not
+# check the package's GPG signature even if dnf is normally configured to do so
+# (https://bugzilla.redhat.com/show_bug.cgi?id=1879791). rpmconf-matt checks the digest of
# the file before using it, but a fuzzed package might be able to compromise
# your system during extraction. This is less of a problem if your repository
# metadata is integrity protected (e.g., by SSL on the metalink or repomd)
-# because "dnf download" checks the digest of the downloaded package before
-# exiting successfully.
+# because "dnf download" refuses to save a package whose digest does not match
+# the metadata.
# Known blockers to submission to Fedora: Basically removing assumptions specific to my setup.
# - Decide how to name it vs. existing "rpmconf" in Fedora