fedup: does not verify source
Adam Williamson
awilliam at redhat.com
Mon Dec 17 18:58:54 UTC 2012
On Mon, 2012-12-17 at 11:27 -0500, Przemek Klosowski wrote:
> On 12/17/2012 01:58 AM, Adam Williamson wrote:
>
> > fedup essentially automates doing yum distro-sync across a reboot and in
> > an isolated environment, and provides an interface for hooking in any
> > kind of outside-of-yum-mucking-about we might need to do (like the /usr
> > move stuff). It's really just a slightly sophisticated framework to do
> > what you're suggesting.
> >
>
> I don't understand---the discussion started by pointing out that fedup
> does not check signatures, then someone said that yum distro-sync does
> it properly, and you're saying that fedup just automates distro-sync.
> At which point is the signature checking disabled then? and can it be
> restored?
When you do a yum distro-sync according to the instructions on the wiki,
you are supposed to manually import the GPG key for the next release. If
you're doing things Properly, you should somehow verify you're importing
the correct key and not just blindly typing what a wiki page tells you
to, but of course what most people do is blindly type what the wiki page
tells them to...
anyhow, the tricky thing here lies in somehow making it safe for fedup
to *automatically* import the correct key for the next release. This is
a subtlish problem.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the devel
mailing list