From 4f0f2877faf1a7d524ffd5557bfc38bf60e9c493 Mon Sep 17 00:00:00 2001 From: Matt McCutchen Date: Wed, 16 Sep 2020 22:57:45 -0400 Subject: [PATCH] Update rpmconf-matt to reflect that I've filed a bug about the failure of "dnf download" to verify GPG signatures. Woohoo! --- rpmconf-matt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rpmconf-matt b/rpmconf-matt index 4cb5093..7f28ad7 100755 --- a/rpmconf-matt +++ b/rpmconf-matt @@ -3,14 +3,14 @@ # SECURITY NOTICE: If your system is missing the original version (.rpmbase) of # a configuration file you have modified, rpmconf-matt will automatically get it -# by downloading the original package with "dnf download", which (IIUC) does not -# check the package's GPG signature even if dnf is normally configured to do so. -# (TODO: File an upstream bug about this?) rpmconf-matt checks the digest of +# by downloading the original package with "dnf download", which does not +# check the package's GPG signature even if dnf is normally configured to do so +# (https://bugzilla.redhat.com/show_bug.cgi?id=1879791). rpmconf-matt checks the digest of # the file before using it, but a fuzzed package might be able to compromise # your system during extraction. This is less of a problem if your repository # metadata is integrity protected (e.g., by SSL on the metalink or repomd) -# because "dnf download" checks the digest of the downloaded package before -# exiting successfully. +# because "dnf download" refuses to save a package whose digest does not match +# the metadata. # Known blockers to submission to Fedora: Basically removing assumptions specific to my setup. # - Decide how to name it vs. existing "rpmconf" in Fedora -- 2.34.1