[packagekit] Questions about install-signatures, what-provides and repo-set-data

Richard Hughes hughsient at gmail.com
Wed Jun 24 00:32:15 PDT 2009 

On Tue, Jun 23, 2009 at 10:44 PM, Mounir
Lamouri<mounir.lamouri at gmail.com> wrote:
> * install-signatures
> Signatures are GPG keys which are "signing" packages for security reasons ?
> So, signed packages are the ones named "trusted" ?

Yup. For yum, a package is trusted if it comes from a signed repo, and
is siged itself with a known GPG signature.

> As far as I know, the only security in Gentoo is md5sum of the ebuilds/tarballs
> and they do not need to be installed so this function probably doesn't need to
> be in the backend.

I don't think this is relevant for gentoo. One slight concern I have
is how you make the backend secure. At the moment you can
InstallPackages(only_trusted=TRUE) without a password by default. So,
if you say that every package is trusted (because there is no trust
data like a signed binary deb) then users might get upset that
software is installed without a prompt. It might be better to return
with an ErrorCode if only_trusted is true, and rely on
only_trusted=False so at least we show a password prompt. Up to you.
Imagine if InstallPackage(vnc) installs vnc, starts it, and runs it by
default.

> * repo-set-data
> I really don't get the meaning of this function. According to the example, user
> can set the download-url of a repository ?

They can do anything specific to the backend. So on the dummy backend
I could do:

RepoSetData("reponame", "use-gpg", "1")
RepoSetData("reponame", "add-repo", "http://www.hughsie.com/repo")
RepoSetData("reponame", "set-distro-version", "+1")

It allows you to interact with a repo in a way not normally allowed
with the API. I don't think you need to use this.

> I suppose if I can't get what is the use of this function it's a good reason to
> say I don't need it ;)

:-)

> * what-provides
> I don't see an easy way to get those informations. I suppose it is used for
> missing codecs ?

Yes, and missing mime-types and a lot of the cleverness. If at all
possible you want to try and support this, else a lot of the clever
front end tools won't really shine. If you can tag your
gstreamer-plugins-bad ebuild with something like
provides:gstreamer0.10(decoder=audio/mp3) then gentoo would have the
same functionality as other backends. All the other cool kids are
adding metadata like this :)

Richard

More information about the PackageKit mailing list