[packagekit] Having a GPG auth dialog that doesn't suck

James Westby jw+debian at jameswestby.net
Thu Aug 28 10:03:02 PDT 2008 

Hi Richard,

Sorry for the delay in responding to this.

On Mon, 2008-07-21 at 08:55 +0100, Richard Hughes wrote:
> On Tue, 2008-05-27 at 17:40 +0100, James Westby wrote:
> > I think it would be great if we could present the user with a different
> > scary dialog in this situation,
> > 
> >   This repository is not intended to be used with the distribution
> >   that you are running, and doing so could cause problems.
> 
> Right, would that involve a per-distro blacklist of repo names or just
> gpg keys?

Either would work I guess.

> > Possibly it could make it hard to override as well.
> 
> Or impossible? Would you ever (or should you ever) use a debian repo on
> Ubuntu?

You can, but cases would be rare, and I would be happy sending the
user to the command line to edit /etc/apt/sources.list to achieve it.

> > Aside from that though, I would like it if the solution to the key
> > problem didn't make this worse. Could we ship
> > 
> >   /etc/PackageKit/known-repo-keys
> > 
> > or similar that lists them, rather then having a central one for
> > all distros? Then the distro could assign their own policy.
> 
> I've talked to RH legal about this. The l**** repo that has no name
> cannot be linked to, and we certainly can't ship the GPG key.

Ok. I don't think that scuppers this proposal. A Fedora user would
just get "I don't know what this is", if it were asked to add
another rpm based distro's main repository it could notice and
say "I don't think you should be doing that".

> > How does the following table look to everyone?
> > 
> >     Invalid Key                      Disallow the user from adding it
> >     Known incompatible repo          Make it very hard to add it
> >     Known repo, valid key            Not too scary dialog
> >     Unknown repo                     Very scary dialog, hard to add it
> > 
> > It shouldn't be too much work to collect up the information about the
> > big repositories and work out compatibility.
> 
> This is a per-backend thing I think. We can certainly add a new
> parameter to the RepoSigRequired signal in this case.

Yeah, I guess per-backend makes sense, trying to add Debian's repo
to a Fedora system isn't going to screw anything up.

Each backend will be doing something very similar though, so perhaps
there could be supporting code in libpackagekit.

Thanks,

James

More information about the PackageKit mailing list