[packagekit] Having a GPG auth dialog that doesn't suck

[Richard Hughes]

On Tue, 2008-05-27 at 17:40 +0100, James Westby wrote:
> I think it would be great if we could present the user with a different
> scary dialog in this situation,
> 
>   This repository is not intended to be used with the distribution
>   that you are running, and doing so could cause problems.

Right, would that involve a per-distro blacklist of repo names or just
gpg keys?

> Possibly it could make it hard to override as well.

Or impossible? Would you ever (or should you ever) use a debian repo on
Ubuntu?

> Aside from that though, I would like it if the solution to the key
> problem didn't make this worse. Could we ship
> 
>   /etc/PackageKit/known-repo-keys
> 
> or similar that lists them, rather then having a central one for
> all distros? Then the distro could assign their own policy.

I've talked to RH legal about this. The l**** repo that has no name
cannot be linked to, and we certainly can't ship the GPG key.

> Another approach would be to add a new field to your proposal that
> could be a list of distros to allow it on, and the output of lsb_release
> could be used to choose the dialog.

PackageKit already defines a distro_id which can be used for this.

> How does the following table look to everyone?
> 
>     Invalid Key                      Disallow the user from adding it
>     Known incompatible repo          Make it very hard to add it
>     Known repo, valid key            Not too scary dialog
>     Unknown repo                     Very scary dialog, hard to add it
> 
> It shouldn't be too much work to collect up the information about the
> big repositories and work out compatibility.

This is a per-backend thing I think. We can certainly add a new
parameter to the RepoSigRequired signal in this case.

> Would this policy suit every distro? Does all of this hold true in the
> rpm world?

Yes, it makes sense.

Richard.