From 0a5c70e49fe90b965f23352af176a8cb789e0ab1 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Fri, 20 Feb 2026 20:19:57 +0100
Subject: [PATCH] docs(environment): document RPM GPG policy relaxation

---
 roles/environment/tasks/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml
index 521315b..e571bdb 100644
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -205,6 +205,10 @@
                 opts: "ro,loop"
                 state: mounted
 
+        # Security note: RPM Sequoia signature policy is relaxed to allow
+        # bootstrapping RHEL-family distros from the Arch ISO, where the
+        # host rpm/dnf does not trust target distro GPG keys. Package
+        # integrity is verified by the target system's own rpm after reboot.
         - name: Relax RPM Sequoia signature policy for RHEL bootstrap
           when: is_rhel | bool
           ansible.builtin.copy: