|Summary:||Authorization to require must depend on whether package is signed by a trusted key|
|Product:||[Fedora] Fedora||Reporter:||David Zeuthen <davidz>|
|Component:||PackageKit||Assignee:||Robin Norwood <robin.norwood>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||9||CC:||mclasen, rhughes, tla|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-09-17 08:45:55 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description David Zeuthen 2008-04-01 15:31:02 UTC
From bug 439844 comment 1 >  : I don't think PackageKit makes a distinction between what action is used > if the package is signed by a trusted key vs. not. For the former we should > allow this by default, for the latter we should require the admin password and > not allow to retain such authorizations. Richard, Robin? To elaborate: We need to check for different actions for the two distinct scenarios in a transaction: 1) all packages are signed by a trusted key; and 2) some packages are either unsigned or signed by a untrusted key For 1) we'd default the implicit authorization to "yes" for local users... e.g. never ask for any password, e.g. JFDI. For 2) we'd require admin authentication.
Comment 1 Matthias Clasen 2008-04-01 15:32:48 UTC
Is this different from the install-local vs install distinction we already make ? Or should it replace that one ?
Comment 2 Richard Hughes 2008-04-01 15:33:46 UTC
How would packagekit know the packages are signed before the transaction is being run? at the moment we ask for auth before we start the action, and don't know they are signed until we get a callback from rpm.
Comment 3 David Zeuthen 2008-04-01 16:29:35 UTC
(In reply to comment #2) > How would packagekit know the packages are signed before the transaction is > being run? at the moment we ask for auth before we start the action, and don't > know they are signed until we get a callback from rpm. But that's "only" a problem with how PackageKit/yum/rpm currently works (note I didn't say it was easy to solve). So that would need to be fixed - which I why I haven't marked this as F9Target or F9Blocker but it needs to be fixed for F10. Probably one solution is a heuristic per repository saying e.g. "packages from this repo are all signed by this key". Which means you can find out early what authorization is needed. Now, you need to verify this as well before carrying out the transaction. Which means checking authorizations a second time and possibly prompting the user with a password dialog. If the user fails to gain the authorization you abort the transaction.
Comment 4 Bug Zapper 2008-05-14 08:32:24 UTC
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Richard Hughes 2008-09-17 08:45:55 UTC
I think we've got this pretty much nailed in rawhide -- see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for docs.