FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-20-2011, 07:26 PM
Olaf Mueller
 
Default rpm libuser-devel is not signed

Hello,

'yum update' runs into the following error message.

Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed


regards
Olaf
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-20-2011, 11:49 PM
Ben McGinnes
 
Default rpm libuser-devel is not signed

On 21/04/11 5:26 AM, Olaf Mueller wrote:
> Hello,
>
> 'yum update' runs into the following error message.
>
> Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed

I got this too, there's two ways around it:

1) Wait until the package is signed and then update.

2) Run: yum update --nogpgcheck


Regards,
Ben

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 06:04 AM
Mathieu Baudier
 
Default rpm libuser-devel is not signed

>> 'yum update' runs into the following error message.
>>
>> Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed
>
> I got this too, there's two ways around it:
>
> 1) Wait until the package is signed and then update.
>
> 2) Run: yum update --nogpgcheck

Other workarounds for this particular issue have just been suggested here:
http://lists.centos.org/pipermail/centos/2011-April/110547.html
http://lists.centos.org/pipermail/centos/2011-April/110551.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 08:26 AM
Johnny Hughes
 
Default rpm libuser-devel is not signed

On 04/21/2011 01:04 AM, Mathieu Baudier wrote:
>>> 'yum update' runs into the following error message.
>>>
>>> Package libuser-devel-0.54.7-2.1.el5_5.2.i386.rpm is not signed
>>
>> I got this too, there's two ways around it:
>>
>> 1) Wait until the package is signed and then update.
>>
>> 2) Run: yum update --nogpgcheck
>
> Other workarounds for this particular issue have just been suggested here:
> http://lists.centos.org/pipermail/centos/2011-April/110547.html
> http://lists.centos.org/pipermail/centos/2011-April/110551.html


This issue has been taken care of on all the CentOS mirrors about 10
hours ago.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 10:34 AM
Karanbir Singh
 
Default rpm libuser-devel is not signed

On 04/21/2011 09:26 AM, Johnny Hughes wrote:
>> Other workarounds for this particular issue have just been suggested here:
>> http://lists.centos.org/pipermail/centos/2011-April/110547.html
>> http://lists.centos.org/pipermail/centos/2011-April/110551.html

I find it strange that people are making such recommendations. A non
verifyable signature is a MASSIVE deal. Working 'around' that is to stop
doing what you are doing, and not do any package centric operation till
the issue is fixed and resolved in an acceptable manner.

- KB
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 10:35 AM
Karanbir Singh
 
Default rpm libuser-devel is not signed

On 04/21/2011 12:49 AM, Ben McGinnes wrote:
> 2) Run: yum update --nogpgcheck

please dont do that

- KB
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 10:59 AM
John Hodrien
 
Default rpm libuser-devel is not signed

On Thu, 21 Apr 2011, Karanbir Singh wrote:

> On 04/21/2011 09:26 AM, Johnny Hughes wrote:
>>> Other workarounds for this particular issue have just been suggested here:
>>> http://lists.centos.org/pipermail/centos/2011-April/110547.html
>>> http://lists.centos.org/pipermail/centos/2011-April/110551.html
>
> I find it strange that people are making such recommendations. A non
> verifyable signature is a MASSIVE deal. Working 'around' that is to stop
> doing what you are doing, and not do any package centric operation till
> the issue is fixed and resolved in an acceptable manner.

It's all too often the advice you'll see. On Spacewalk, the standard response
to dealing with unsigned (or signed with an unimported key) is to disable all
gpg checks. It's cringeworthy, and wrong on so many levels.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 11:26 AM
Mathieu Baudier
 
Default rpm libuser-devel is not signed

>>> Other workarounds for this particular issue have just been suggested here:
>>> http://lists.centos.org/pipermail/centos/2011-April/110547.html
>>> http://lists.centos.org/pipermail/centos/2011-April/110551.html
>
> I find it strange that people are making such recommendations. A non
> verifyable signature is a MASSIVE deal. Working 'around' that is to stop
> doing what you are doing, and not do any package centric operation till
> the issue is fixed and resolved in an acceptable manner.

Sorry, but not everybody is on production machines.

Since the OP could not analyze himself the error message, one could
safely assume he is not dealing with critical production environments.
Maybe he was just told: "install quickly this CentOS in VirtualBox,
just to make sure our app is compatible", and in that case the sooner
the better.

My "advice" and those of others where underlying the security risk.
The one of Akemi seems pretty safe (not installing the update).

To put it shortly: Freedom, as in "free software", is about doing
whatever you want.

This being say, I do agree that having a non signed package is a MASSIVE deal.
Do we have more details about what's going on here?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 11:33 AM
John Hodrien
 
Default rpm libuser-devel is not signed

On Thu, 21 Apr 2011, Mathieu Baudier wrote:

> Sorry, but not everybody is on production machines.
>
> Since the OP could not analyze himself the error message, one could
> safely assume he is not dealing with critical production environments.
> Maybe he was just told: "install quickly this CentOS in VirtualBox,
> just to make sure our app is compatible", and in that case the sooner
> the better.
>
> My "advice" and those of others where underlying the security risk.
> The one of Akemi seems pretty safe (not installing the update).
>
> To put it shortly: Freedom, as in "free software", is about doing
> whatever you want.

Not updating is entirely sensible and sounds like the best default position.
Installing a package you'd expect to be signed when it isn't signed should
ring alarm bells.

Freedom includes being free to make poor decisions.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-21-2011, 11:35 AM
Karanbir Singh
 
Default rpm libuser-devel is not signed

On 04/21/2011 12:26 PM, Mathieu Baudier wrote:
> Sorry, but not everybody is on production machines.

Security and integrity of an install is not optional, wherever you might
be. Imho anyway.

> Maybe he was just told: "install quickly this CentOS in VirtualBox,
> just to make sure our app is compatible", and in that case the sooner
> the better.
>
> My "advice" and those of others where underlying the security risk.
> The one of Akemi seems pretty safe (not installing the update).

If there is reason to suspect a mirror or installation is compromised,
one should - again imho - not be doing any operations against that.

> To put it shortly: Freedom, as in "free software", is about doing
> whatever you want.

thats true, but there is also a sense of responsibility that comes with
that advice that is handed out and who / where its being handed out. One
could potentially assume that the people on this list would know what
they are talking about and would only advice based on whats considered
best practices. The fact that the OP didnt know what was going on would
be a good sign to assume that he was looking for people who did know
what was going on eg. Telling people to jump off a cliff, just because
you can isnt nice. Freedom or otherwise.

> This being say, I do agree that having a non signed package is a MASSIVE deal.
> Do we have more details about what's going on here?

yes, a package was released, unsigned, and has been fixed. ( and 4 more
tests added to the release process to make sure that this does not
happen again; or atleast reduce the chance of this going out ).

- KB
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org