Bug 440060

Summary: Authorization to require must depend on whether package is signed by a trusted key
Product: [Fedora] Fedora Reporter: David Zeuthen <davidz>
Component: PackageKitAssignee: Robin Norwood <robin.norwood>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: mclasen, rhughes, tla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-17 08:45:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Zeuthen 2008-04-01 15:31:02 UTC
From bug 439844 comment 1
> [1] : I don't think PackageKit makes a distinction between what action is used
> if the package is signed by a trusted key vs. not. For the former we should
> allow this by default, for the latter we should require the admin password and
> not allow to retain such authorizations. Richard, Robin?

To elaborate: We need to check for different actions for the two distinct
scenarios in a transaction: 1) all packages are signed by a trusted key; and 2)
some packages are either unsigned or signed by a untrusted key

For 1) we'd default the implicit authorization to "yes" for local users... e.g.
never ask for any password, e.g. JFDI. For 2) we'd require admin authentication.

Comment 1 Matthias Clasen 2008-04-01 15:32:48 UTC
Is this different from the install-local vs install distinction we already make ?
Or should it replace that one ? 

Comment 2 Richard Hughes 2008-04-01 15:33:46 UTC
How would packagekit know the packages are signed before the transaction is
being run? at the moment we ask for auth before we start the action, and don't
know they are signed until we get a callback from rpm.


Comment 3 David Zeuthen 2008-04-01 16:29:35 UTC
(In reply to comment #2)
> How would packagekit know the packages are signed before the transaction is
> being run? at the moment we ask for auth before we start the action, and don't
> know they are signed until we get a callback from rpm.

But that's "only" a problem with how PackageKit/yum/rpm currently works (note I
didn't say it was easy to solve). So that would need to be fixed - which I why I
haven't marked this as F9Target or F9Blocker but it needs to be fixed for F10.

Probably one solution is a heuristic per repository saying e.g. "packages from
this repo are all signed by this key". Which means you can find out early what
authorization is needed. Now, you need to verify this as well before carrying
out the transaction. Which means checking authorizations a second time and
possibly prompting the user with a password dialog. If the user fails to gain
the authorization you abort the transaction.


Comment 4 Bug Zapper 2008-05-14 08:32:24 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Richard Hughes 2008-09-17 08:45:55 UTC
I think we've got this pretty much nailed in rawhide -- see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for docs.