Bug 440060 - Authorization to require must depend on whether package is signed by a trusted key
Summary: Authorization to require must depend on whether package is signed by a truste...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: PackageKit
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Robin Norwood
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-01 15:31 UTC by David Zeuthen
Modified: 2013-03-06 03:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-17 08:45:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Zeuthen 2008-04-01 15:31:02 UTC 
From bug 439844 comment 1
> [1] : I don't think PackageKit makes a distinction between what action is used
> if the package is signed by a trusted key vs. not. For the former we should
> allow this by default, for the latter we should require the admin password and
> not allow to retain such authorizations. Richard, Robin?

To elaborate: We need to check for different actions for the two distinct
scenarios in a transaction: 1) all packages are signed by a trusted key; and 2)
some packages are either unsigned or signed by a untrusted key

For 1) we'd default the implicit authorization to "yes" for local users... e.g.
never ask for any password, e.g. JFDI. For 2) we'd require admin authentication.
Comment 1 Matthias Clasen 2008-04-01 15:32:48 UTC 
Is this different from the install-local vs install distinction we already make ?
Or should it replace that one ?
Comment 2 Richard Hughes 2008-04-01 15:33:46 UTC 
How would packagekit know the packages are signed before the transaction is
being run? at the moment we ask for auth before we start the action, and don't
know they are signed until we get a callback from rpm.
Comment 3 David Zeuthen 2008-04-01 16:29:35 UTC 
(In reply to comment #2)
> How would packagekit know the packages are signed before the transaction is
> being run? at the moment we ask for auth before we start the action, and don't
> know they are signed until we get a callback from rpm.

But that's "only" a problem with how PackageKit/yum/rpm currently works (note I
didn't say it was easy to solve). So that would need to be fixed - which I why I
haven't marked this as F9Target or F9Blocker but it needs to be fixed for F10.

Probably one solution is a heuristic per repository saying e.g. "packages from
this repo are all signed by this key". Which means you can find out early what
authorization is needed. Now, you need to verify this as well before carrying
out the transaction. Which means checking authorizations a second time and
possibly prompting the user with a password dialog. If the user fails to gain
the authorization you abort the transaction.
Comment 4 Bug Zapper 2008-05-14 08:32:24 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Richard Hughes 2008-09-17 08:45:55 UTC 
I think we've got this pretty much nailed in rawhide -- see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for docs.
Note You need to log in before you can comment on or make changes to this bug.