On 06/22/16 11:59, Gordon Messmer wrote:
I'll admit that the risk is hypothetical, but what does
rpmfusion's flux
have to do with the risk of allowing unsigned packages?
It was only one package that was unsigned, and it came from rpmfusion, and they are in
the
middle of putting up an new infrastructure. So not unthinkable a package had slipped
thru
unsigned.
(Bearing in mind, that flag is global. You told dnf to ignore
signatures for all package, on all repos.)
Yes, except that it was just the one package and, while I did not mention it, I checked
some of the downloaded rpm's in the cache. Yes, it probably would have been a
"better"
idea to disable the gpgcheck in the rpmfusion repo.
--
You're Welcome Zachary Quinto