[packagekit] GNOME summit and more about GPG keys

[Robin Norwood]

Adrien BUSTANY <madcat at mymadcat.com> writes:

> Robin Norwood a écrit :
>> Hi,
>>
>> However, one problem is that there isn't a consistant cross-distro way
>> that I know of to name these sorts of deps...so either distros will need
>> to become consistant or the deps need to be generated and maintained
>> somewhere.
>> Thoughts on this?
>>   
> Can't you do a search like "what package does provides the file
> /usr/gimp/plugins/xxx" with yum ? If not, it would be handy since rpm
> does it with -qf...

That's true, with yum/rpm because rpm provides file deps - but:

o The yum/rpm guys want to move *away* from those, because they're a big
part of what makes yum/rpm slower than apt/deb.
o hardcoding a file path kinda sucks.
o This doesn't count as cross-distribution, since only yum/rpm support
it (for now).

>>   And if an unexpected GPG key occurs at some other time, probably just
>>   error out...this way, the gpg check occurs early in the transaction,
>>   instead of after PK goes away to think for awhile.
>>   
> Maybe there should be a frontend to manage yum repos (like unbuntu
> does). Of course, repo files are standard rpms, but that would be useful
> (maybe we could add a different extension to repos rpms ?). That way,
> when the user adds a repo, that frontend would fire up and ask him if he
> trusts the repo (with an option to see the key, and maybe check it
> against a keyserver).

Well, technically repos are just text config files - usually deployed in
rpms, yes.  There are a few ways to solve the problem...

o If PK has 'hooks' to install new repos (ie, maybe it recognizes a
'repo' rpm), then we could do the gpg dance at that time.
o You could also run something in the %post of your repo rpm...but that
might be messy.
o The 'have yum notice new repos' thing.

-RN

-- 
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching