I know that the issue is marked fixed already, but I wonder if there should have been some more popular notice for this surprising change in the update mechanism.
Today I saw there (before installing updates):
[master@dom0 ~]$ sudo qubes-dom0-update
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
warning: Converting database from bdb to sqlite backend
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Today's updates were:
pm-plugin-systemd-inhibit-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
rpm-plugin-selinux-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
qubes-rpm-oxide-0.2.2-1.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
qubes-mgmt-salt-dom0-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:19 PM CEST
qubes-core-dom0-linux-kernel-install-4.0.30-1.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
qubes-core-dom0-linux-4.0.30-1.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
python3-rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
python2-rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM CEST
rpm-sign-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM CEST
rpm-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM CEST
rpm-build-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM CEST
rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM CEST
qubes-mgmt-salt-config-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM CEST
qubes-mgmt-salt-base-config-4.0.2-1.fc25.noarch Wed 26 May 2021 03:34:12 PM CEST
qubes-mgmt-salt-base-4.0.4-1.fc25.noarch Wed 26 May 2021 03:34:12 PM CEST
qubes-mgmt-salt-admin-tools-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM CEST
qubes-mgmt-salt-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM CEST
When re-trying after those updates, (most of) the message is still there:
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some time...
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in /var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo; Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Last metadata expiration check: 0:41:44 ago on Wed May 26 15:33:47 2021.
Dependencies resolved.
The changes consequent on hardening of the rpm update mechanism were
poorly handled.
The changes consequent to upgrading the updateVM to fedora-33 were
warnings, and the solution was signalled in the warning message.
(see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Very few users seem to have a) read that message, or b) tried to do what
it said.
You have to look at the manpage in the updateVM (since that is where the
warning is coming from) and apply the solution in dom0. This isnt
intuitive unless you know about the Qubes dom0 update mechanism.
I know that the issue is marked fixed already, but I wonder if there should
have been some more popular notice for this surprising change in the update
mechanism.
Today I saw there (before installing updates):
[master@dom0 ~]$ sudo qubes-dom0-update
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
warning: Converting database from bdb to sqlite backend
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security
policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Today's updates were:
pm-plugin-systemd-inhibit-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
rpm-plugin-selinux-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
qubes-rpm-oxide-0.2.2-1.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
qubes-mgmt-salt-dom0-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:19 PM
CEST
qubes-core-dom0-linux-kernel-install-4.0.30-1.fc25.x86_64 Wed 26 May 2021
03:34:19 PM CEST
qubes-core-dom0-linux-4.0.30-1.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
python3-rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
python2-rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:19 PM
CEST
rpm-sign-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM
CEST
rpm-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM
CEST
rpm-build-libs-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM
CEST
rpm-4.14.2.1-5.fc25.x86_64 Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-config-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-base-config-4.0.2-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-base-4.0.4-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-admin-tools-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
qubes-mgmt-salt-4.0.25-1.fc25.noarch Wed 26 May 2021 03:34:12 PM
CEST
When re-trying after those updates, (most of) the message is still there:
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora.repo; Configuration:
OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Invalid configuration value: failovermethod=priority in
/var/lib/qubes/dom0-updates/etc/yum.repos.d/fedora-updates.repo;
Configuration: OptionBinding with id "failovermethod" does not exist
Warning: Enforcing GPG signature check globally as per active RPM security
policy (see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Last metadata expiration check: 0:41:44 ago on Wed May 26 15:33:47 2021.
Dependencies resolved.
Package Arch Version Repository
Size
Upgrading:
python2-rpm x86_64 4.14.2.1-5.fc25
qubes-dom0-current 118 k
python3-rpm x86_64 4.14.2.1-5.fc25
qubes-dom0-current 118 k
qubes-core-dom0-linux x86_64 4.0.30-1.fc25
qubes-dom0-current 54 k
qubes-core-dom0-linux-kernel-install x86_64 4.0.30-1.fc25
qubes-dom0-current 14 k
qubes-mgmt-salt noarch 4.0.25-1.fc25
qubes-dom0-current 11 k
qubes-mgmt-salt-admin-tools noarch 4.0.25-1.fc25
qubes-dom0-current 23 k
qubes-mgmt-salt-base noarch 4.0.4-1.fc25
qubes-dom0-current 23 k
qubes-mgmt-salt-base-config noarch 4.0.2-1.fc25
qubes-dom0-current 16 k
qubes-mgmt-salt-config noarch 4.0.25-1.fc25
qubes-dom0-current 27 k
qubes-mgmt-salt-dom0 noarch 4.0.25-1.fc25
qubes-dom0-current 12 k
rpm x86_64 4.14.2.1-5.fc25
qubes-dom0-current 531 k
rpm-build-libs x86_64 4.14.2.1-5.fc25
qubes-dom0-current 137 k
rpm-libs x86_64 4.14.2.1-5.fc25
qubes-dom0-current 325 k
rpm-plugin-selinux x86_64 4.14.2.1-5.fc25
qubes-dom0-current 68 k
rpm-plugin-systemd-inhibit x86_64 4.14.2.1-5.fc25
qubes-dom0-current 69 k
rpm-sign-libs x86_64 4.14.2.1-5.fc25
qubes-dom0-current 71 k
Installing dependencies:
qubes-rpm-oxide x86_64 0.2.2-1.fc25
qubes-dom0-current 138 k
Transaction Summary
Install 1 Package
Upgrade 16 Packages
Total size: 1.7 M
DNF will only download packages for the transaction.
Downloading Packages:
[SKIPPED] qubes-rpm-oxide-0.2.2-1.fc25.x86_64.rpm: Already downloaded
Complete!
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0
The changes consequent on hardening of the rpm update mechanism were
poorly handled.
The changes consequent to upgrading the updateVM to fedora-33 were
warnings, and the solution was signalled in the warning message.
(see 'gpgcheck' in dnf.conf(5) for how to squelch this message)
Very few users seem to have a) read that message, or b) tried to do what
it said.
Sorry, but I feel stupid:
Even after removing any failovermethod line from /var/lib/qubes/dom0-updates/etc/yum.repos.d/* in sys-firewall, those lines were re-added next time when I had run qubes-dom0-update in Dom0. Same for adding localpkg_gpgchgeck.
You have to look at the manpage in the updateVM (since that is where the
warning is coming from) and apply the solution in dom0. This isnt
intuitive unless you know about the Qubes dom0 update mechanism.
It wasn't obvious to me that the command output came from sys-firewall (UpdateVM), sorry.
The comment cited earlier reads: "This is harmless. The fix is simply to delete those lines from the configuration in dom0."