[OE-core] [PATCH 5/5] dnf: expand dnf selftest to test signed package feeds
Alexander Kanavin
alexander.kanavin at linux.intel.com
Fri Aug 11 13:20:20 UTC 2017
On 08/11/2017 03:54 PM, Markus Lehtonen wrote:
> Wait a moment. If feed signing is enabled, then dnf's "repo_gpgcheck",
> and "gpgkey" settings should be configured and working by default. You
> shouldn't fix them after the fact in the test. Please add the necessary
> code to insert_feeds_uris() in package_manager.py.
>
> Do you think it's a safe assumption that all repos configured via PACKAGE_FEED_URIS are signed and with the same key?
We had a discussion on IRC; the problem here is that some of those repos
may be from a 3rd party, or created earlier with different signing
settings. We don't provide configuration support for such a mix of
repositories; if PACKAGE_FEED_SIGN is enabled, then it is assumed that
all of the configured repositories are signed with the provided key. If
someone needs a more intricate configuration, they can have it via a
custom repository indexer recipe, and image creation hooks that
configure dnf to match that.
The alternative (not configuring dnf to check the signatures) is worse:
the repos are signed, but then dnf does not actually verify anything. So
the signing is quietly subverted. This default case should simply work,
and not fail quietly.
Alex
More information about the Openembedded-core
mailing list