Comment 16 for bug 1536871

Richard, Mario, thanks for the feedback, it's been helpful.

I'm not sure that everything's hooked up correctly though -- when I
replace both these files with my own GPG key and run fwupdmgr refresh I
get no errors:

/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
/etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service

/var/cache/app-info/xmls/fwupd.xml
is written and has a current timestamp.

Removing those key files also doesn't appear to change anything.

Removing the /usr/bin/gpg* executables didn't appear to change anything.

I also tried to change the downloaded /tmp/firmware.xml.gz or
/tmp/firmware.xml.gz.asc files to simulate corrupted or modified contents
but had trouble getting the inotify magic to work. Testing this case will
take more time than I've got at the moment but I suspect this error case
is also not properly handled.

Can these error conditions be properly handled before release? Is fwupd
currently "released" enough to justify getting CVEs assigned for these
unhandled error cases? Can they be programmatically tested to ensure they
don't return?

Thanks