[packagekit] GPG keys

Richard Hughes hughsient at gmail.com
Wed Oct 3 10:12:59 PDT 2007 

On Wed, 2007-10-03 at 09:58 -0400, Robin Norwood wrote:
> Richard Hughes <hughsient at gmail.com> writes:
> 
> >> > Or rather: PK_ERROR_ENUM_GPG_FAILURE
> >> 
> >> Yes, that.
> >
> > Which probably needs to be renamed to be abstract.... ;-)
> 
> Yup.  'signature' is probably the right generic term.

Yes, that's much better.

> >> "SignatureRequired"?
> >> "NeedSignature"?
> >> "PackageSignatureImportRequest"?
> >
> > Ultimately, the backends will have repo controls, like:
> >
> > a(s=rid,s=description)=GetRepoList()
> > RepoEnable(s=rid,s=value)
> > RepoSetData(s=rid,s=data,s=value)
> >
> > So maybe RepoAuthenticationRequired, RepoAuthRequired or
> > RepoValidateRequired would be best.
> 
> RepoSignatureRequired, or RepoSigRequired maybe...

RepoSignatureRequired is good for me.

> 'signature' is the best generic term, I think.
> 
> >> I have little knowledge of how other packaging systems handle
> >> signatures, so it's hard for me to know what needs to be abstracted, and
> >> what the full set of data might be available in a
> >> "PackageSignatureImportRequest" for the various backends.  I was just
> >> going to go with what yum provides, and let others add to that.  It
> >> looks like yum deals with the key's url, userid, keyid, and timestamp.
> >
> > What does userid and timestamp convey?
> 
> It's the userid "Robin Norwood (Red Hat, Inc.) <rnorwood at redhat.com>"
> and time stamp (creation date, IIRC) of the gpg key used to sign the
> package.  You'll want to show all four bits of info to the user when
> asking her to import the key.

Sure, we can add all of those to the callback. I don't see a harm in
including all the fields, we can make it more abstract if and when
another backend needs to do something slightly different.

> >> > Hmm. I'm not so worried about round trips actually, the interaction with
> >> > the user is going to be the slowest part by miles, and you'll want to be
> >> > able to approve/deny each one. Plus you only have to do this once, ever.
> >> 
> >> Well, once per repository, but really the most Fedora users ever
> >> encounter is two or maybe three.  (Livna, et al)
> >
> > Sure, but updates and fedora should already be added. Livna is the only
> > one this should apply to.
> 
> Maybe.  IIRC, Fedora still doesn't import the GPG key until the first
> time you run yum (or pirut, or PackageKit).  Regardless, there shouldn't
> ever be more than a couple.

Cool. Hack away :-)

Richard.

More information about the PackageKit mailing list