Re: fedup: does not verify source
[Posted December 18, 2012 by n8willis]
| From: |
| Adam Williamson <awilliam-AT-redhat.com> |
| To: |
| Development discussions related to Fedora <devel-AT-lists.fedoraproject.org> |
| Subject: |
| Re: fedup: does not verify source |
| Date: |
| Mon, 17 Dec 2012 10:58:54 -0800 |
| Message-ID: |
| <1355770734.1560.68.camel@adam> |
| Archive‑link: | |
Article |
On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote:
> On 12/17/2012 01:58 AM, Adam Williamson wrote:
>
> > fedup essentially automates doing yum distro-sync across a reboot and in
> > an isolated environment, and provides an interface for hooking in any
> > kind of outside-of-yum-mucking-about we might need to do (like the /usr
> > move stuff). It's really just a slightly sophisticated framework to do
> > what you're suggesting.
> >
>
> I don't understand---the discussion started by pointing out that fedup
> does not check signatures, then someone said that yum distro-sync does
> it properly, and you're saying that fedup just automates distro-sync.
> At which point is the signature checking disabled then? and can it be
> restored?
When you do a yum distro-sync according to the instructions on the wiki,
you are supposed to manually import the GPG key for the next release. If
you're doing things Properly, you should somehow verify you're importing
the correct key and not just blindly typing what a wiki page tells you
to, but of course what most people do is blindly type what the wiki page
tells them to...
anyhow, the tricky thing here lies in somehow making it safe for fedup
to *automatically* import the correct key for the next release. This is
a subtlish problem.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
