## download.media_preference = download
##
+## Signature checking (repo metadata and downloaded rpm packages)
+##
+## boolean gpgcheck (default: on)
+## boolean repo_gpgcheck (default: unset -> according to gpgcheck)
+## boolean pkg_gpgcheck (default: unset -> according to gpgcheck)
+##
+## Explicitly setting 'gpgcheck', 'repo_gpgcheck' 'pkg_gpgcheck' in a
+## repositories .repo file will overwrite the defaults for this specific
+## repo.
+##
+## If 'gpgcheck' is 'on' (the default) we will check the signature of repo metadata
+## (packages are secured via checksum inside the metadata). Using unsigned repos
+## needs to be confirmed.
+## Packages from signed repos are accepted if their checksum matches the checksum
+## stated in the repo metadata.
+## Packages from unsigned repos need a valid gpg signature, using unsigned packages
+## needs to be confirmed.
+##
+## The above default behavior can be tuned by explicitly setting 'repo_gpgcheck'
+## and/or 'pkg_gpgcheck':
+##
+## 'repo_gpgcheck = on' same as the default.
+##
+## 'repo_gpgcheck = off' will silently accept unsigned repos. It will NOT turn off
+## signature checking on the whole, nevertheless it's not a secure setting.
+##
+## 'pkg_gpgcheck = on' will enforce the package signature checking and the need
+## to confirm unsigned packages for all repos (signed and unsigned).
+##
+## 'pkg_gpgcheck = off' will silently accept unsigned packages. It will NOT turn off
+## signature checking on the whole, nevertheless it's not a secure setting.
+##
+## If 'gpgCheck' is 'off' (not recommended), no checks are performed. You can still
+## enable them individually by setting 'repo_gpgcheck' and/or 'pkg_gpgcheck' to 'on'.
+##
+## NOTE:
+## BSC#1038984: For a short period of time, libzypp-16.15.x
+## will silently accept unsigned packages IFF a repositories gpgcheck
+## configuration is explicitly turned OFF like this:
+## gpgcheck = 0
+## repo_gpgcheck = 0
+## pkg_gpgcheck = 1
+## This will allow some already released products to adapt to the behavioral
+## changes introduced by fixing BSC#1038984, while systems with a default
+## configuration (gpgcheck = 1) already benefit from the fix in libzypp-16.15.x.
+## With libzypp-16.16.x the above configuration will reject unsigned packages
+## as it is supposed to do.
+##
+## DISABLING GPG CHECKS IS NOT RECOMMENDED.
+## Signing data enables the recipient to verify that no modifications
+## occurred after the data were signed. Accepting data with no, wrong
+## or unknown signature can lead to a corrupted system and in extreme
+## cases even to a system compromise.
+##
+# repo_gpgcheck = unset -> according to gpgcheck
+# pkg_gpgcheck = unset -> according to gpgcheck
+
+##
## Commit download policy to use as default.
##
## DownloadOnly, Just download all packages to the local cache.
##
## When committing a dist upgrade (e.g. 'zypper dup') a solver testcase
## is written to /var/log/updateTestcase-<date>. It is needed in bugreports.
-## This optin returns the number of testcases to keep on the system. Old
+## This option returns the number of testcases to keep on the system. Old
## cases will be deleted, as new ones are created.
##
## Use 0 to write no testcase at all, or -1 to keep all testcases.
## oldest - Keep kernel with the lowest version number (the GA kernel)
## oldest+N - Keep kernel with the Nth lowest version number
##
+## Note: This entry is not evaluated by libzypp, but by the
+## purge-kernels service (via /sbin/purge-kernels).
+##
## Default: Do not delete any kernels if multiversion = provides:multiversion(kernel) is set
multiversion.kernels = latest,latest-1,running
projects / platform / upstream / libzypp.git / blobdiff