Red Hat Bugzilla – Bug 178908
system-install-packages bug and patches
Last modified: 2007-11-30 17:11:22 EST
Description of problem:
1. system-install-packages foo gives a traceback if foo doesn't exist.
2. system-install-packages dont tell the user if package already is installed.
it is only written to stdout.
3. system-install-packages can't install a non signed package.
I have done a little hacking and created some patches for the problems.
Version-Release number of selected component (if applicable): 0.9.7-1
Created attachment 123664 [details]
Patch for file not found traceback
Created attachment 123665 [details]
Patch for telling the user if a package allready installed
It also fixes two time 'elif == 0:' efter each other
Created attachment 123666 [details]
Patch for installing packages that are not signed
Created attachment 123667 [details]
new patch for file not found there was an error in the first one
In the future, it helps to provide patches separately so they can be tracked
* File not found: Committed
* Already installed: Committed, with some text tweaks as well as i18n marking
For the third, I'm not sure that installing unsigned packages is really the
right thing to do if the configuration is set up to require signed packages.
Which is most of why I've held off applying any of these, but I'm not any closer
to personal resolution.
What would be the use case of having gpgcheck=1 and then wanting to install an
(In reply to comment #5)
> In the future, it helps to provide patches separately so they can be tracked
I will do so in the future :-)
> * File not found: Committed
> * Already installed: Committed, with some text tweaks as well as i18n marking
> For the third, I'm not sure that installing unsigned packages is really the
> right thing to do if the configuration is set up to require signed packages.
> Which is most of why I've held off applying any of these, but I'm not any closer
> to personal resolution.
I most cases it would be ok, not to install unsigned packages, but in some cases
it would be nice to just warn the user and let the user decide.
A user what to use the 'foobar' application, but it is not availible in any
repositories. He locates the application on the "foobar" homepage, And there is
a link to download a rpm for Fedora Core, He clicks the link and Firefox
suggests to open the rpm with the system-install-packages tool, he selects to do
so, and he get a "Unable to verify" error.
1. Keep it as is, maybe change the text to something like "The package is not
signed, so it cant be installed for security reasons"
2. just install it.
3. Warn the user about the security issues and let him choose to install it or not.
Maybe it should be something to be enabled in /etc/pirut.conf
> What would be the use case of having gpgcheck=1 and then wanting to install an
> unsigned package?
When installing from a repository, it is up to the state of "gpgcheck=" to
deside how to handle unsigned packages, but it not very useful in the previous
After talking with jrb a bit (who happened to hit this case installing VMware
the other day), went ahead and implemented, although I did it a bit differently
than your patch.