From: Matt McCutchen Date: Thu, 17 Sep 2020 02:57:45 +0000 (-0400) Subject: Update rpmconf-matt to reflect that I've filed a bug about the failure X-Git-Url: https://mattmccutchen.net/utils/utils.git/commitdiff_plain/4f0f2877faf1a7d524ffd5557bfc38bf60e9c493?ds=inline Update rpmconf-matt to reflect that I've filed a bug about the failure of "dnf download" to verify GPG signatures. Woohoo! --- diff --git a/rpmconf-matt b/rpmconf-matt index 4cb5093..7f28ad7 100755 --- a/rpmconf-matt +++ b/rpmconf-matt @@ -3,14 +3,14 @@ # SECURITY NOTICE: If your system is missing the original version (.rpmbase) of # a configuration file you have modified, rpmconf-matt will automatically get it -# by downloading the original package with "dnf download", which (IIUC) does not -# check the package's GPG signature even if dnf is normally configured to do so. -# (TODO: File an upstream bug about this?) rpmconf-matt checks the digest of +# by downloading the original package with "dnf download", which does not +# check the package's GPG signature even if dnf is normally configured to do so +# (https://bugzilla.redhat.com/show_bug.cgi?id=1879791). rpmconf-matt checks the digest of # the file before using it, but a fuzzed package might be able to compromise # your system during extraction. This is less of a problem if your repository # metadata is integrity protected (e.g., by SSL on the metalink or repomd) -# because "dnf download" checks the digest of the downloaded package before -# exiting successfully. +# because "dnf download" refuses to save a package whose digest does not match +# the metadata. # Known blockers to submission to Fedora: Basically removing assumptions specific to my setup. # - Decide how to name it vs. existing "rpmconf" in Fedora