[packagekit] Software Sources / Channels and PackageKit
Anders F Björklund
afb at algonet.se
Wed May 25 00:45:31 PDT 2011
(continued)
> In Fedora, you add/remove yum channels by installing/removing
> packages that contain the yum .repo file(s) and gpg key(s)...
> So if you want to enable the "foo" repository you install the
> "foo-release" rpm with /etc/yum.repos.d/* and /etc/pki/rpm-gpg/*
>
> This is similar to editing /etc/apt/sources.list and using apt-key.
> (e.g. https://help.launchpad.net/Packaging/PPA/InstallingSoftware)
> So if you use another meta-package manager, you'll need to pry open
> that package and extract the repository configuration and public key.
BTW; The problem with the current "*-release" packages is that they
are self-referring. The URL location of the repository containing
the RPM is contained _inside the package_, and signed by a GPG key
that is located _inside the package_ making the whole thing weird.
So either you have to locate the package yourself, and install it
without verifying signatures (running scripts as root, as usual):
http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
http://rpmfusion.org/Configuration # "...by clicking Enter a few times"
Or you have to extract the *.repo and RPM-GPG-KEY-* files from the
RPM (using e.g. rpm2cpio), and configure yum (or similar) manually:
rpm2cpio *-release-*.rpm | cpio -dvim /etc/yum.repos.d/\* /etc/pki/rpm-gpg/\*
su -c "cp ./etc/yum.repos.d/* /etc/yum.repos.d; cp ./etc/pki/rpm-gpg/* /etc/pki/rpm-gpg"
So no matter which way you accomplish it, you will still need to:
1) configure the repo 2) trust the keys 3) update the index files
The only difference with the "*-release" RPM and the Launchpad PPA
is that are you "spared" from the details and security implications.
The main problem (with the *-release rpms) is the same as with the
*.package, that is: running unverified code (as an administrator!).
It would be "better", even if tedious, if this was done in 3 steps.
Better still would be if it didn't require root privileges to do so.
Like in Zero Install. ;-)
--anders
More information about the PackageKit
mailing list