Upstream yum recently changed the behaviour when checking signatures
    on a package. The commit added a new configuration key which only
    affects local packages, but the key was set by default to False.
    This meant that an end user could install a local unsigned rpm package
    using PackageKit without a GPG trust check, and the user would be told
    the untrusted package is itself trusted.
    To exploit this low-impact vulnerability, a user would have to
    manually download an unsigned package file and would still be required
    to authenticate to install the package.
    The CVE-ID for this bug is CVE-2011-2515
    See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
    Resolves #718127