[packagekit] Don't allow updates from unsigned repos with unsigned packages

[Richard Hughes]

The attached patch to the yum backend makes the backend disallow doing
updates from an unsigned mirror with unsigned packages.

This is a bad idea, as the sort of mirror that is unsigned, is probably
not trusted, and an easy exploitable way of getting exploit code on
computers with the settings set to auto update.

I'm not sure if this militant setting should be applied on explicit
package installs, but it seems like a good idea.

Rationale: I don't want a security exploit "caused by PackageKit" when a
random mirror gets compromised and people start playing the blame game.

Comments? Nothing in git.

Richard.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pk-yum-allow-unsigned-unsigned.patch
Type: text/x-patch
Size: 6728 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/packagekit/attachments/20081014/497ff2ae/attachment-0004.bin>