[packagekit] Res: One click install support in PackageKit

Debayan Banerjee debayanin at gmail.com
Sun Mar 29 08:14:08 PDT 2009


2009/3/24 Dan Kegel <dank at kegel.com>:
> http://www.cs.ucr.edu/~dperkins/projects/pk-oci/
>
> some security.   See also
> https://lists.linux-foundation.org/pipermail/packaging/2008-October/000842.html
> and the resulting discussion (some of which is elsewhere, e.g.
> http://duncan.mac-vicar.com/blog/archives/414 )
>

I read up on the links posted on this thread. I understand that that
the main problems are:

1) There is no way to trust third party software repositories.
2) Distributions like Fedora and Debian will never include non-free
repository information such as GPG keys for non-free repositories.

My view is that we do not really need to follow a policy where we
trust a repository based on its GPG key etc. What we are concerned
with is the package at the end of the day, and if the package itself
is not compromised in any way then we can always intall it. The
question now is, how do we know if a package is compromised or not.
Lets say Fedora sets up a server at the url
https://checksums.fedoraproject.org/thirdparty. This server shall
contain a listing of all the MD5SUMS/SHA1SUMS of all third party
packages that are popular. Fedora may give "commit rights" to certain
trusted (trusted by Fedora) 3rd party developers so they can update
this list from time to time.
Suppose I now click on any one-click-install link and it downloads
packages. It then queries the checksums server and finds out if the
package is 1)listed 2) tainted. If not well and good, go ahead and
install it.
In any case, we can always do this for free software packages if not
for 3rd party repositories.
Is this concept sound?

-- 
Be Intelligent, Use GNU/Linux

http://debayanin.googlepages.com/
http://debayan.wordpress.com
http://lug.nitdgp.ac.in


More information about the PackageKit mailing list