FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-03-2012, 12:35 PM
Alexander Volovics
 
Default The software is not from a trusted source ???

On Tue, Jan 03, 2012 at 02:13:54PM +0100, Reindl Harald wrote:

> Am 03.01.2012 14:09, schrieb Alexander Volovics:
> > When using 'software update' to get and install the last batch of
> > 7 updates the following was displayed:
> >
> > "The software is not from a trusted source. Do not update these
> > packages unless you are sure it is save to do so"
> >
> > Is this something new in packagekit or does it have anything to do
> > with the "cyrus SASL" packages.

> please use "yum update" as root
> error-messages of a graphical interface sucks

> i guess there is some unsigend package, but that's why
> i never use graphical interfaces as long yum exists

I also mostly use yum, but occasionaly the update gui to
'break the monotony'.

I was just rather surprised to see this message and would like to know
if packagekit is getting "more sophisticated" or there was some slight
problem with one of the packages (unsigned?)

AV



> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 12:37 PM
Frank Murphy
 
Default The software is not from a trusted source ???

On 03/01/12 13:09, Alexander Volovics wrote:


"The software is not from a trusted source. Do not update these
packages unless you are sure it is save to do so"


Do you have 3rd party repos.


Is this something new in packagekit or does it have anything to do
with the "cyrus SASL" packages.


Been there always iirc.

--
Regards,

Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 12:49 PM
Alan Cox
 
Default The software is not from a trusted source ???

> I was just rather surprised to see this message and would like to know
> if packagekit is getting "more sophisticated" or there was some slight
> problem with one of the packages (unsigned?)

Or the copy on your mirror has been tampered with so has a bogus
signature. It's not something you should treat likely. Sure 99.9% of the
time its probably a process error in producing the package or if you've
added extra repositories and it comes from one of them you may not have
imported the needed key.

But it might not be, and one day someone will trojan a mirror site and
people who disable and ignore the signing checks will get burned.

Another thing to check btw is that the package is simply not corrupt in
the download. Yum used to be very stupid about this and would keep the
corrupt package cached and keep erroring it. I've no idea if it was
fixed - but see if yum clean all then updating fixes it.

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 12:50 PM
Alexander Volovics
 
Default The software is not from a trusted source ???

On Tue, Jan 03, 2012 at 01:37:33PM +0000, Frank Murphy wrote:
> On 03/01/12 13:09, Alexander Volovics wrote:

> >"The software is not from a trusted source. Do not update these
> > packages unless you are sure it is save to do so"

> Do you have 3rd party repos.

Yes rpmfusion, but there was no rpmfusion package among the updates.

> >Is this something new in packagekit or does it have anything to do
> >with the "cyrus SASL" packages.

> Been there always iirc.

Must have missed it then. But then I seldom use the gui.

AV

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 01:02 PM
Alexander Volovics
 
Default The software is not from a trusted source ???

On Tue, Jan 03, 2012 at 01:49:45PM +0000, Alan Cox wrote:
> > I was just rather surprised to see this message and would like to know
> > if packagekit is getting "more sophisticated" or there was some slight
> > problem with one of the packages (unsigned?)

> Or the copy on your mirror has been tampered with so has a bogus
> signature. It's not something you should treat likely. Sure 99.9% of the
> time its probably a process error in producing the package or if you've
> added extra repositories and it comes from one of them you may not have
> imported the needed key.
>
> But it might not be, and one day someone will trojan a mirror site and
> people who disable and ignore the signing checks will get burned.
>
> Another thing to check btw is that the package is simply not corrupt in
> the download. Yum used to be very stupid about this and would keep the
> corrupt package cached and keep erroring it. I've no idea if it was
> fixed - but see if yum clean all then updating fixes it.

When packagekit update showed this message I could have gone ahead with
the download/update but I switched to using yum.

Yum showed nothing 'strange' and the updates proceeded without problem
and checked out ok.

So it all remains something of a mystery.

AV

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 05:21 PM
Joe Zeff
 
Default The software is not from a trusted source ???

On 01/03/2012 05:35 AM, Alexander Volovics wrote:

I was just rather surprised to see this message and would like to know
if packagekit is getting "more sophisticated" or there was some slight
problem with one of the packages (unsigned?)


There's a known issue at rpmfusion: some of the packages haven't been
updated to the latest key yet. You need to turn off gpg-key checking
either as an option in yumex or on the command line with yum to get
around this.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 06:15 PM
Craig White
 
Default The software is not from a trusted source ???

On Tue, 2012-01-03 at 10:21 -0800, Joe Zeff wrote:
> On 01/03/2012 05:35 AM, Alexander Volovics wrote:
> > I was just rather surprised to see this message and would like to know
> > if packagekit is getting "more sophisticated" or there was some slight
> > problem with one of the packages (unsigned?)
>
> There's a known issue at rpmfusion: some of the packages haven't been
> updated to the latest key yet. You need to turn off gpg-key checking
> either as an option in yumex or on the command line with yum to get
> around this.
----
that is a terrible idea/terrible advice and I can't believe that the
folks at rpmfusion would give that advice either.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 06:31 PM
Joe Zeff
 
Default The software is not from a trusted source ???

On 01/03/2012 11:15 AM, Craig White wrote:

that is a terrible idea/terrible advice and I can't believe that the
folks at rpmfusion would give that advice either.


Not if you do it right: you only select the packages from rpmfusion in
yumex, or only list them on yum's command line. Turning it off for
everything would, of course, be a Bad Idea, but once in a while you need
to turn it off for specific packages unless you don't want to update
them until the people at rpmfusion get everything corrected.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 08:12 PM
Alexander Volovics
 
Default The software is not from a trusted source ???

On Tue, Jan 03, 2012 at 10:21:13AM -0800, Joe Zeff wrote:

> On 01/03/2012 05:35 AM, Alexander Volovics wrote:
> >I was just rather surprised to see this message and would like to know
> >if packagekit is getting "more sophisticated" or there was some slight
> >problem with one of the packages (unsigned?)

> There's a known issue at rpmfusion: some of the packages haven't
> been updated to the latest key yet. You need to turn off gpg-key
> checking either as an option in yumex or on the command line with
> yum to get around this.

Every package in the updates installed without a problem WITH
gpg-key checking using 'yum update' AND on a 2nd pc using the packagekit
update gui.

So if there is some problem with rpmfusion keys it is strange that
the update gui gives the warning when finding updates and listing
the packages BEFORE there was any attempt at installation and I
presume gpg-key checking.

That would mean it gives a warning about possible untrusted packages
just on finding one from rpmfusion?

And there was certainly nothing wrong with the key.

Very strange.

(And I would not turn off gpg-key checking but would wait for the
problem to be resolved).

AV

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 01-03-2012, 08:37 PM
Joe Zeff
 
Default The software is not from a trusted source ???

On 01/03/2012 01:12 PM, Alexander Volovics wrote:

So if there is some problem with rpmfusion keys it is strange that
the update gui gives the warning when finding updates and listing
the packages BEFORE there was any attempt at installation and I
presume gpg-key checking.


I wasn't sure of the timing. I also knew that there was a gpg-key issue
with ffmpeg and its library when I used yumex to update yesterday, but
everything else went well. And, it seems that there's only a few
packages that don't have the right key, or at least that's what I found
when I checked rpmfusion's Bugzilla.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 05:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org