[OE-core] [PATCH 1/1] rpm: make install with --nosignature and --nodigest work
Mark Hatle
mark.hatle at windriver.com
Tue Sep 20 20:33:10 UTC 2016
On 9/20/16 10:00 AM, Burton, Ross wrote:
>
> On 20 September 2016 at 09:15, Hongxu Jia <hongxu.jia at windriver.com
> <mailto:hongxu.jia at windriver.com>> wrote:
>
> -Upstream-Status: Submitted [Sent email to rpm-devel at rpm5.org
> <mailto:rpm-devel at rpm5.org>]
> +Upstream-Status: Rejected [Sent email to rpm-devel at rpm5.org
> <mailto:rpm-devel at rpm5.org>]
> +http://rpm5.org/community/rpm-devel/5655.html
> <http://rpm5.org/community/rpm-devel/5655.html>
>
>
> Considering upstream has explicitly rejected this patch, why should we accept it?
>
> Ross
>
>
I'm confused by what the patch is doing looking at it.
It sounds like from the description there is a bug that without the change,
packages with (intentionally) bad checksums and such are allowed to be installed.
The bug is caused by a previous patch that enabled nosignature, etc -- because
the comparisons turned out to be backwards.
So really nosignature, etc is already in place -- it's just not working properly?
What was rejected upstream is the use of nosignature in any context. RPM5
maintainer believes it is unwise and unsafe to permit uses to install packages
that have failed basic validation. (I tend to agree.) Similarly, even being
able to run queries and other operations against them may be dangerous as well.
If fixing the problem is as simple as reverting the other change -- and that
doesn't cause other problems elsewhere... I'd rather see that.
--Mark
More information about the Openembedded-core
mailing list