[packagekit] GNOME summit and more about GPG keys

Adrien BUSTANY madcat at mymadcat.com
Wed Oct 10 01:44:26 PDT 2007 

Robin Norwood a écrit :
> Hi,
>
> So, I gave a little demo of PackageKit at the GNOME summit on Monday.
> It went well.  Nothing crashed.  :-)  There were some good questions and
> comments afterwards.  The response seemed positive to me.  There was a
> bit of a discussion about "How applications can install plugins with
> PackageKit".  For instance, gimp plugins and gstreamer codecs.  To be
> able to do this, we should probably have simple python and C bindings to
> install things with a semantic of "give me a package which provides
> 'x'".  The bindings we have now are pretty close, and maybe just example
> code needs to be easily available.
>
> However, one problem is that there isn't a consistant cross-distro way
> that I know of to name these sorts of deps...so either distros will need
> to become consistant or the deps need to be generated and maintained
> somewhere.
> Thoughts on this?
>   
Can't you do a search like "what package does provides the file
/usr/gimp/plugins/xxx" with yum ? If not, it would be handy since rpm
does it with -qf...
>
> Second, GPG signing - had a few discussions with RHers at the office
> today about GPG signing...everyone pretty much agrees that the current
> way to do it sucks.  Some ideas to fix it:
>
> o Accepting a GPG signature should happen when you add a repository, not
> when you try to install a package.  yum repo config (not sure about
> other backends) can include a URL to the GPG key...so, a yum plugin
> could be created to check to see:
>
>   - foreach repo:
>     - Is GPG checking enabled?
>     - Is the GPG key installed?
>     - If not, then do the prompt user thing (the repo_signature_required
>     signal)
>
>   And if an unexpected GPG key occurs at some other time, probably just
>   error out...this way, the gpg check occurs early in the transaction,
>   instead of after PK goes away to think for awhile.
>   
Maybe there should be a frontend to manage yum repos (like unbuntu
does). Of course, repo files are standard rpms, but that would be useful
(maybe we could add a different extension to repos rpms ?). That way,
when the user adds a repo, that frontend would fire up and ask him if he
trusts the repo (with an option to see the key, and maybe check it
against a keyserver).
> o Keyserver(s): We (well, individual distros, or some central group)
> could set up a public keyserver.  This way, when the user is presented
> with a key, an additional check could be run to see if they key matches
> one in the keyserver.  The user then has an added layer of trust, rather
> than verifying the fingerprint against a URL that could have been
> forged.  This does put a burden on whoever runs the keyserver, because
> then *they* have to go and verify that a person or org before a new key
> is uploaded.
>
> o Many, many people ranted about how bad it is to show the user a hex
> string.  Having a keyserver might mitigate that, but...
>
> o Fedora should include it's keys at install time, instead of the first
> time yum is run (maybe this is already fixed, but it's silly).
>
> That's it - sorry for the fairly disorganized braindump.
>   
Don't know if piping it through sort would have been better ;-)
> -RN
>
>   
Adrien BUSTANY

More information about the PackageKit mailing list