[packagekit] FOSScamp discussion notes
Richard Hughes
hughsient at gmail.com
Fri May 23 00:17:59 PDT 2008
On Fri, 2008-05-23 at 09:04 +0200, Klaus Kaempf wrote:
> * Richard Hughes <hughsient at gmail.com> [May 23. 2008 08:51]:
> >
> > Well, it's not the case of installing dodgy software, as we already let
> > the user do that with warnings and needing the root prompt. The issue is
> > that some developer creates a repo with a package with a higher epoch,
> > and then the fedora releases a critical security package (with an
> > updated version, but smaller epoch) and the package does not get
> > upgraded, leaving the user vulnerable.
>
> How's that any different from 'normal' package installs and updates ?
> Does PackageKit, or any other package management software, prevent
> this today ?
Well, if I use my distro provided repos then there's a pretty certain
guarantee that things won't break mid-cycle like that. I do see your
point tho.
> > I've not shut the door on 1-click, I just need some valid use cases.
> > Have you suse guys done any work on use cases for 1-click?
>
> Its extremely useful as soon as you need multiple packages (due to
> dependencies) from a specific source. vlc from videolan.org is my
> primary example with all its additional codecs.
> Being able to click on an RPM just gives you _this_ RPM. What if
> additional RPMs are needed ?
> With 1-click-install, you include the whole repository into the
> dependency resolution.
In this case, shouldn't you be installing a videolan-release.rpm with
the repo/sources file, and the gpg key?
Richard.
More information about the PackageKit
mailing list