[packagekit] FOSScamp discussion notes

Stanislav Visnovsky visnov at suse.cz
Fri May 23 02:57:06 PDT 2008


Dňa Friday 23 May 2008 08:50:18 Richard Hughes ste napísal:
> On Thu, 2008-05-22 at 17:06 -0400, David Zeuthen wrote:
> > On Tue, 2008-05-20 at 14:39 +0100, Richard Hughes wrote:
> > > > - it would be nice to have PackageKit frontend for 1-click install
> > >
> > > Talking to the Red Hat security guys they were very unhappy with this -
> > > potentially many many problems with security.
> >
> > Can you, or these security guys, kindly explain how this is any
> > different than being able to install any rpm from a website? The latter
> > works just fine today...
>
> Well, it's not the case of installing dodgy software, as we already let
> the user do that with warnings and needing the root prompt. The issue is
> that some developer creates a repo with a package with a higher epoch,
> and then the fedora releases a critical security package (with an
> updated version, but smaller epoch) and the package does not get
> upgraded, leaving the user vulnerable.

This is something packagemanagement has to solve anyway - taking care that 
applying security updates are kind-of-restricted to trusted repos only.

Just a note - 1-click handler in openSUSE have option to remove the repo right 
after installation, or keep it. It's up to user to decide.

>
> There's also the scenario that the user installs some random repo, where
> the developer pushes a few svn packages. The developer gets bored, and
> stop produces updates, and then one of the packages could block on a
> dependency, causing no further automatic system updates.
>
> > > What primary usecases do
> > > you think 1 click install will accoumplish?
> >
> > Just look at how 1 click install is used today already.
>
> I guess for people like you it would be quite useful "click here to
> install my DeviceKit rpms" but them I would argue you should just get
> them into rawhide :-)

Look at openSUSE Build service - you can build anything there and you will get 
all the convenience (repos, 1-click, signing infrastructure, etc) even for 
your 0.0.1-not-there code, by simply packaging it using the tool. The code 
might never get to rawhide.

>
> I've not shut the door on 1-click, I just need some valid use cases.
> Have you suse guys done any work on use cases for 1-click?

Stano



More information about the PackageKit mailing list