Richard, Mario, thanks for the feedback, it's been helpful. I'm not sure that everything's hooked up correctly though -- when I replace both these files with my own GPG key and run fwupdmgr refresh I get no errors:
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service /etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service /var/cache/app-info/xmls/fwupd.xml is written and has a current timestamp. Removing those key files also doesn't appear to change anything. Removing the /usr/bin/gpg* executables didn't appear to change anything. I also tried to change the downloaded /tmp/firmware.xml.gz or /tmp/firmware.xml.gz.asc files to simulate corrupted or modified contents but had trouble getting the inotify magic to work. Testing this case will take more time than I've got at the moment but I suspect this error case is also not properly handled. Can these error conditions be properly handled before release? Is fwupd currently "released" enough to justify getting CVEs assigned for these unhandled error cases? Can they be programmatically tested to ensure they don't return? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
