[packagekit] Having a GPG auth dialog that doesn't suck

James Westby jw+debian at jameswestby.net
Tue May 27 09:40:08 PDT 2008 

Sorry, really need to find out how to turn that keybinding off.

On a related note to showing a different dialog when a repo is known
but not official, has there been any thought to presenting the
"compatibility" of repositories?

I have dealt with a couple of bug reports recently where people were
mixing Debian and Ubuntu repositories (the official ones), with
unexpected (for them) problems. There was then a discussion (originating
from another bug report) about the topic on ubuntu-devel

  https://lists.ubuntu.com/archives/ubuntu-devel/2008-April/025290.html

  https://lists.ubuntu.com/archives/ubuntu-devel/2008-April/025325.html

is probably the most useful post.

My concern is that the changes proposed may make it less clear to users
that they are doing something wrong. I don't know if Debian's key
would be carried, but even if it isn't you can construct a possibly
problematic situation. For example, there are two repositories that
provide a similar service to Livna (as I understand it), 
debian-multimedia.org and Medibuntu. If both keys were to be recognised
then I, on an Ubuntu system, could add the former, and get a not very
scary dialog when doing so.

I think it would be great if we could present the user with a different
scary dialog in this situation,

  This repository is not intended to be used with the distribution
  that you are running, and doing so could cause problems.

Possibly it could make it hard to override as well.

Aside from that though, I would like it if the solution to the key
problem didn't make this worse. Could we ship

  /etc/PackageKit/known-repo-keys

or similar that lists them, rather then having a central one for
all distros? Then the distro could assign their own policy.

Another approach would be to add a new field to your proposal that
could be a list of distros to allow it on, and the output of lsb_release
could be used to choose the dialog.

How does the following table look to everyone?

    Invalid Key                      Disallow the user from adding it
    Known incompatible repo          Make it very hard to add it
    Known repo, valid key            Not too scary dialog
    Unknown repo                     Very scary dialog, hard to add it

It shouldn't be too much work to collect up the information about the
big repositories and work out compatibility.

Would this policy suit every distro? Does all of this hold true in the
rpm world?

Thanks,

James

More information about the PackageKit mailing list