Bug 178908 - system-install-packages bug and patches
system-install-packages bug and patches
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pirut (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-25 06:51 EST by Tim Lauridsen
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-03 17:24:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for file not found traceback (1006 bytes, patch)
2006-01-25 06:51 EST, Tim Lauridsen
no flags Details | Diff
Patch for telling the user if a package allready installed (1.54 KB, patch)
2006-01-25 06:54 EST, Tim Lauridsen
no flags Details | Diff
Patch for installing packages that are not signed (3.61 KB, patch)
2006-01-25 06:55 EST, Tim Lauridsen
no flags Details | Diff
new patch for file not found there was an error in the first one (598 bytes, patch)
2006-01-25 06:58 EST, Tim Lauridsen
no flags Details | Diff

  None (edit)
Description Tim Lauridsen 2006-01-25 06:51:58 EST
Description of problem:

1. system-install-packages foo gives a traceback if foo doesn't exist.
2. system-install-packages dont tell the user if package already is installed.
   it is only written to stdout.
3. system-install-packages can't install a non signed package.

I have done a little hacking and created some patches for the problems.

Version-Release number of selected component (if applicable): 0.9.7-1
Comment 1 Tim Lauridsen 2006-01-25 06:51:58 EST
Created attachment 123664 [details]
Patch for file not found traceback
Comment 2 Tim Lauridsen 2006-01-25 06:54:24 EST
Created attachment 123665 [details]
Patch for telling the user if a package allready installed

It also fixes two time 'elif == 0:' efter each other
Comment 3 Tim Lauridsen 2006-01-25 06:55:45 EST
Created attachment 123666 [details]
Patch for installing packages that are not signed
Comment 4 Tim Lauridsen 2006-01-25 06:58:41 EST
Created attachment 123667 [details]
new patch for file not found there was an error in the first one
Comment 5 Jeremy Katz 2006-02-01 19:14:47 EST
In the future, it helps to provide patches separately so they can be tracked
individually.

* File not found: Committed
* Already installed: Committed, with some text tweaks as well as i18n marking

For the third, I'm not sure that installing unsigned packages is really the
right thing to do if the configuration is set up to require signed packages. 
Which is most of why I've held off applying any of these, but I'm not any closer
to personal resolution.

What would be the use case of having gpgcheck=1 and then wanting to install an
unsigned package?
Comment 6 Tim Lauridsen 2006-02-03 03:05:09 EST
(In reply to comment #5)
> In the future, it helps to provide patches separately so they can be tracked
> individually.
> 
I will do so in the future :-)
> * File not found: Committed
> * Already installed: Committed, with some text tweaks as well as i18n marking
> 

> For the third, I'm not sure that installing unsigned packages is really the
> right thing to do if the configuration is set up to require signed packages. 
> Which is most of why I've held off applying any of these, but I'm not any closer
> to personal resolution.
> 
I most cases it would be ok, not to install unsigned packages, but in some cases
 it would be nice to just warn the user and let the user decide.

Example:

A user what to use the 'foobar' application, but it is not availible in any
repositories. He locates the application on the "foobar" homepage, And there is
a link to download a rpm for Fedora Core, He clicks the link and Firefox
suggests to open the rpm with the system-install-packages tool, he selects to do
so, and he get a "Unable to verify" error.

Possible solution.

1. Keep it as is, maybe change the text to something like "The package is not
signed, so it cant be installed for security reasons"

2. just install it.

3. Warn the user about the security issues and let him choose to install it or not.

Maybe it should be something to be enabled in /etc/pirut.conf

> What would be the use case of having gpgcheck=1 and then wanting to install an
> unsigned package?

When installing from a repository, it is up to the state of "gpgcheck=" to
deside how to handle unsigned packages, but it not very useful in the previous
example.




Comment 7 Jeremy Katz 2006-02-03 17:24:12 EST
After talking with jrb a bit (who happened to hit this case installing VMware
the other day), went ahead and implemented, although I did it a bit differently
than your patch.
Comment 8 Tim Lauridsen 2006-02-04 10:20:29 EST
Looking good 

Note You need to log in before you can comment on or make changes to this bug.