Install packages or update or upgrade Fedora from University IT Center

mfaridi · May 14, 2026, 6:35am

In our university we have IT and they said students can use their repo for update or upgrade packages on Linux, for Fedora they give us this config
```
[IT-fedora]
name=Fedora $releasever - $basearch
failovermethod=priority
baseurl= Domain im Kundenauftrag registriert
enabled=1
metadata_expire=7d
repo_gpgcheck=0
type=rpm
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False

[IT-updates]
name=Fedora $releasever - $basearch - Updates
failovermethod=priority
baseurl= Domain im Kundenauftrag registriert
enabled=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False
```
Is this safe and I can use it?
Can they put bad packages on their repo?
If I use this repo how I can check my Fedora is OK and not hacked?

rubirod1200 · May 14, 2026, 6:58am

I would be concerned about this.

Is there a reason not to do an in-place upgrade using official repos?

Two days ago I upgraded from 43 to 44 via Software and it went smooth as silk.

Backing up important data is always a prerequisite no matter which route you decide to take.

mfaridi · May 14, 2026, 9:24am

In university we do not have direct access to internet.

pg-tips · May 14, 2026, 9:38am

Yes. Perhaps more likely, if their security is poor, they can be hacked by a bad actor who puts bad packages there.

Normally you’d be protected by the system checking that the packages are signed with Fedora’s GPG key. But your university is telling you to throw away that protection, by using repo_gpgcheck=0. Edit: no, I’m wrong, per @francismontagnac 's post you should still be protected by gpgcheck=1.

francismontagnac · May 14, 2026, 9:48am

I don’t think so: this parameter is also set to 0 in the standard fedora and
fedora-updates .repo files.

The setting of gpgcheck=1 is the important one.

I guess that this university is doing an exact mirror of the fedora repos.

pg-tips · May 14, 2026, 9:50am

Oh! You’re right!

theprogram · May 14, 2026, 10:50am

Then yes, this IT provided repo looks good and you can use it to update.

mfaridi · May 14, 2026, 6:00pm

How I can check installed packages health and installed packages did not modified or edited?

theprogram · May 14, 2026, 6:10pm

That is what the gpgcheck=1 does for you when you do the update

Topic		Replies	Views
Unable to install package in fedora 41 image with repo_gpgcheck enabled Ask Fedora	5	698	March 19, 2025
Fedora 41 repo_gpgcheck=1 not working Ask Fedora repo , dnf , gpg	7	2214	March 27, 2025
Fedora 37 update from F34 fails. Unable to connect to Mirrors and upgrade repositories Ask Fedora f34 , dnf	18	2820	November 21, 2022
Vulnerability - no repo_gpgcheck on Fedora repos Ask Fedora repo , dnf	8	364	March 31, 2025
Secure way to get software Ask Fedora	6	741	May 15, 2023

Install packages or update or upgrade Fedora from University IT Center

Related topics