[packagekit] Questions about install-signatures, what-provides and repo-set-data

Mounir Lamouri mounir.lamouri at gmail.com
Wed Jun 24 02:46:58 PDT 2009 

On Wed, Jun 24, 2009 at 9:32 AM, Richard Hughes<hughsient at gmail.com> wrote:
> On Tue, Jun 23, 2009 at 10:44 PM, Mounir
> Lamouri<mounir.lamouri at gmail.com> wrote:
>> * install-signatures
>> As far as I know, the only security in Gentoo is md5sum of the ebuilds/tarballs
>> and they do not need to be installed so this function probably doesn't need to
>> be in the backend.
>
> I don't think this is relevant for gentoo. One slight concern I have
> is how you make the backend secure. At the moment you can
> InstallPackages(only_trusted=TRUE) without a password by default. So,
> if you say that every package is trusted (because there is no trust
> data like a signed binary deb) then users might get upset that
> software is installed without a prompt. It might be better to return
> with an ErrorCode if only_trusted is true, and rely on
> only_trusted=False so at least we show a password prompt. Up to you.
> Imagine if InstallPackage(vnc) installs vnc, starts it, and runs it by
> default.
I didn't test with the newly only_trusted parameter and yes, I will
probably need to manage that. Actually, as for search-files /
get-require / get-files, why not adding something to know if the
backend support such things. Trusted is probably something not every
PM will use.

And by the way, Zac, nothing has been planned/discussed related to
this feature in Gentoo ?

>> * repo-set-data
>> I really don't get the meaning of this function. According to the example, user
>> can set the download-url of a repository ?
>
> They can do anything specific to the backend. So on the dummy backend
> I could do:
>
> RepoSetData("reponame", "use-gpg", "1")
> RepoSetData("reponame", "add-repo", "http://www.hughsie.com/repo")
> RepoSetData("reponame", "set-distro-version", "+1")
>
> It allows you to interact with a repo in a way not normally allowed
> with the API. I don't think you need to use this.
It should let user add "personnal" repositories ?
If yes, it could be interesting even if not a priority.


>> * what-provides
>> I don't see an easy way to get those informations. I suppose it is used for
>> missing codecs ?
>
> Yes, and missing mime-types and a lot of the cleverness. If at all
> possible you want to try and support this, else a lot of the clever
> front end tools won't really shine. If you can tag your
> gstreamer-plugins-bad ebuild with something like
> provides:gstreamer0.10(decoder=audio/mp3) then gentoo would have the
> same functionality as other backends. All the other cool kids are
> adding metadata like this :)
At the moment, nothing like that is in Gentoo.
I will surely not count on such a feature for the end of my gsoc (ie.
for a first public realease) but we could propose it for further
developments. What do you think Zac ?

Thanks,
Mounir

More information about the PackageKit mailing list