[packagekit] GNOME summit and more about GPG keys

Adrien BUSTANY madcat at mymadcat.com
Wed Oct 10 07:24:46 PDT 2007


Robin Norwood a écrit :
> Adrien BUSTANY <madcat at mymadcat.com> writes:
>
>   
>> Robin Norwood a écrit :
>>     
>>> Hi,
>>>
>>> However, one problem is that there isn't a consistant cross-distro way
>>> that I know of to name these sorts of deps...so either distros will need
>>> to become consistant or the deps need to be generated and maintained
>>> somewhere.
>>> Thoughts on this?
>>>   
>>>       
>> Can't you do a search like "what package does provides the file
>> /usr/gimp/plugins/xxx" with yum ? If not, it would be handy since rpm
>> does it with -qf...
>>     
>
> That's true, with yum/rpm because rpm provides file deps - but:
>
> o The yum/rpm guys want to move *away* from those, because they're a big
> part of what makes yum/rpm slower than apt/deb.
> o hardcoding a file path kinda sucks.
> o This doesn't count as cross-distribution, since only yum/rpm support
> it (for now).
>
>   
>>>   And if an unexpected GPG key occurs at some other time, probably just
>>>   error out...this way, the gpg check occurs early in the transaction,
>>>   instead of after PK goes away to think for awhile.
>>>   
>>>       
>> Maybe there should be a frontend to manage yum repos (like unbuntu
>> does). Of course, repo files are standard rpms, but that would be useful
>> (maybe we could add a different extension to repos rpms ?). That way,
>> when the user adds a repo, that frontend would fire up and ask him if he
>> trusts the repo (with an option to see the key, and maybe check it
>> against a keyserver).
>>     
>
> Well, technically repos are just text config files - usually deployed in
> rpms, yes.  There are a few ways to solve the problem...
>
> o If PK has 'hooks' to install new repos (ie, maybe it recognizes a
> 'repo' rpm), then we could do the gpg dance at that time.
> o You could also run something in the %post of your repo rpm...but that
> might be messy.
> o The 'have yum notice new repos' thing.
>
> -RN
>
>   
Just about the confirmation window I was talking about in the precedent
mail, to accept or not gpg keys, I did a simple mockup :
http://maison.mymadcat.com/~madcat/ecran.jpg . That way we don't need to
show the user a scarrying gpg key, but he can see it if he wants to.
regards
Adrien BUSTANY



More information about the PackageKit mailing list