[packagekit] Questions about install-signatures, what-provides and repo-set-data

Wed Jun 24 13:57:37 PDT 2009

Mounir Lamouri wrote:
> On Wed, Jun 24, 2009 at 9:32 AM, Richard Hughes<hughsient at gmail.com> wrote:
>> On Tue, Jun 23, 2009 at 10:44 PM, Mounir
>> Lamouri<mounir.lamouri at gmail.com> wrote:
>>> * install-signatures
>>> As far as I know, the only security in Gentoo is md5sum of the ebuilds/tarballs
>>> and they do not need to be installed so this function probably doesn't need to
>>> be in the backend.
>> I don't think this is relevant for gentoo. One slight concern I have
>> is how you make the backend secure. At the moment you can
>> InstallPackages(only_trusted=TRUE) without a password by default. So,
>> if you say that every package is trusted (because there is no trust
>> data like a signed binary deb) then users might get upset that
>> software is installed without a prompt. It might be better to return
>> with an ErrorCode if only_trusted is true, and rely on
>> only_trusted=False so at least we show a password prompt. Up to you.
>> Imagine if InstallPackage(vnc) installs vnc, starts it, and runs it by
>> default.
> I didn't test with the newly only_trusted parameter and yes, I will
> probably need to manage that. Actually, as for search-files /
> get-require / get-files, why not adding something to know if the
> backend support such things. Trusted is probably something not every
> PM will use.
> 
> And by the way, Zac, nothing has been planned/discussed related to
> this feature in Gentoo ?

There is some planning here:

http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/

It's also possible to verify the gpg signature of a portage tree
snapshot and treat that as a form of trust. However, it may not
worth the effort.

>>> * what-provides
>>> I don't see an easy way to get those informations. I suppose it is used for
>>> missing codecs ?
>> Yes, and missing mime-types and a lot of the cleverness. If at all
>> possible you want to try and support this, else a lot of the clever
>> front end tools won't really shine. If you can tag your
>> gstreamer-plugins-bad ebuild with something like
>> provides:gstreamer0.10(decoder=audio/mp3) then gentoo would have the
>> same functionality as other backends. All the other cool kids are
>> adding metadata like this :)
> At the moment, nothing like that is in Gentoo.
> I will surely not count on such a feature for the end of my gsoc (ie.
> for a first public realease) but we could propose it for further
> developments. What do you think Zac ?

Sure, we can propose some sort of metadata extension for that. It
also bears some similarity to virtuals. For example, you have a
virtual/gstreamer-decoder-audio-mp3-0.10 ebuild which pulls in an
appropriate package as a dependency.
-- 
Thanks,
Zac