[packagekit] Signed packages again again

Richard Hughes hughsient at gmail.com
Fri Nov 16 06:35:38 PST 2007

On Thu, 2007-11-15 at 18:08 -0500, David Zeuthen wrote:
> So this would mean, in the worst, you would have to ask for more auths
> in the middle of the transaction. I can see how this can be a problem.
> Then again, this should rarely happen; basically only if 

We absolutely can't do this. Auth or licence prompts can only be done
before the transaction has started, and messages or notices about the
transaction can only be shown after the transaction. I've been quite
firm with the apt guys about this. I think this one was called
"Hughsie's law" in IRC one evening.

We need another way to see if a package is signed than just to prompt
from rpm. I think we should probably just fail the transaction if the
rpm is not signed and then re-request an install with a different polkit
rule. So Install(s=package_id) would become Install(s=package_id,
b=allow_untrusted) - the problem then is all the backends have to change
all the methods signatures. Not cool. Allow_untrusted is also quite
specific and non-generic, so maybe we can future proof this as an
enumerated type so future method updates would not be needed.



More information about the PackageKit mailing list