[packagekit] Extending the RepoDetail signal
Anders F Björklund
afb at algonet.se
Thu Oct 7 03:25:59 PDT 2010
Richard Hughes wrote:
> I've been asked to show in the PK GUIs if the repo is signed or not.
> This makes a lot of sense for an end user, as they can see if it's
> official and trusted or not. Yumex seems to have done this already
> http://www.yum-extender.org/gfx/yumex/yumex-repo-usage.png and shows
> secure repos with a little key symbol.
>
> I'm proposing to add a PkSigTypeEnum type to the RepoDetail signal,
> and at this time split off the 0.7 series and start doing API breaks
> again. 0.6 will remain in stable distros (like F14) and will be
> maintained for 1 year.
Does this make any difference between whether it is the rpm packages
that are signed, or if it is the repomd.xml metadata that is signed ?
Currently yum doesn't make a difference between, which causes some
problems for other clients. Or maybe that is more of a backend worry ?
But "gpgcheck=1" can mean either.
It's just that whether packages are signed or not is a system setting
in Smart, so there are no repo-specific setting or keys for those...
If the repository is signed, it expects that gpg key to apply to the
"repomd.xml.asc" file. Just like it does to the "Release.gpg" file.
So repos are "unsigned" in Fedora.
And I suppose all files *can* be signed, so I'm not sure just the
presence of a signature means that it is "official and trusted" ?
Currently it is enough that a key is installed into the keyring.
It doesn't have be trusted, and it applies to all the packages...
--anders
More information about the PackageKit
mailing list