RFE: add an override to allow installing content flagged "untrusted"

[pmatilai]

Previously discussed in various different contexts, most recently rpm-software-management/rpm-sequoia#46:

We now return RPMRC_UNTRUSTED for some content, such as packages relying on legacy crypto. This is not considered an error for installed packages because that will not make the "bad" package go away, only makes it unnecessarily hard to remove or upgrade away from, but we flatly refuse to install such content. In many cases it would be preferable to just allow that legacy content to be installed without giving up all signature checking with --nosignature.

We should add a config and/or transaction flag to allow installing packages returning RPMRC_UNTRUSTED, both to rpm cli and the API for depsolver etc use.

[djflux]

Appreciate the work on this one. Thank you for opening.

Cheers,
Andy aka Flux

[brianjmurrell]

As for an impact statement on this ticket, currently we are stuck at using Fedora 37 as our mock host, since Fedora 38 introduced this new behaviour and does not work with packages from SUSE (at a minimum).

Using Fedora 37 as a mock host of course has an expiry date -- when it becomes EOL and unsupported any more. The hope is by that time, this is resolved and we can once again use the latest Fedora.