Bug 440060 - Authorization to require must depend on whether package is signed by a trusted key
Authorization to require must depend on whether package is signed by a truste...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: PackageKit (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Robin Norwood
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-01 11:31 EDT by David Zeuthen
Modified: 2013-03-05 22:55 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-17 04:45:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Zeuthen 2008-04-01 11:31:02 EDT
From bug 439844 comment 1
> [1] : I don't think PackageKit makes a distinction between what action is used
> if the package is signed by a trusted key vs. not. For the former we should
> allow this by default, for the latter we should require the admin password and
> not allow to retain such authorizations. Richard, Robin?

To elaborate: We need to check for different actions for the two distinct
scenarios in a transaction: 1) all packages are signed by a trusted key; and 2)
some packages are either unsigned or signed by a untrusted key

For 1) we'd default the implicit authorization to "yes" for local users... e.g.
never ask for any password, e.g. JFDI. For 2) we'd require admin authentication.
Comment 1 Matthias Clasen 2008-04-01 11:32:48 EDT
Is this different from the install-local vs install distinction we already make ?
Or should it replace that one ? 
Comment 2 Richard Hughes 2008-04-01 11:33:46 EDT
How would packagekit know the packages are signed before the transaction is
being run? at the moment we ask for auth before we start the action, and don't
know they are signed until we get a callback from rpm.
Comment 3 David Zeuthen 2008-04-01 12:29:35 EDT
(In reply to comment #2)
> How would packagekit know the packages are signed before the transaction is
> being run? at the moment we ask for auth before we start the action, and don't
> know they are signed until we get a callback from rpm.

But that's "only" a problem with how PackageKit/yum/rpm currently works (note I
didn't say it was easy to solve). So that would need to be fixed - which I why I
haven't marked this as F9Target or F9Blocker but it needs to be fixed for F10.

Probably one solution is a heuristic per repository saying e.g. "packages from
this repo are all signed by this key". Which means you can find out early what
authorization is needed. Now, you need to verify this as well before carrying
out the transaction. Which means checking authorizations a second time and
possibly prompting the user with a password dialog. If the user fails to gain
the authorization you abort the transaction.
Comment 4 Bug Zapper 2008-05-14 04:32:24 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Richard Hughes 2008-09-17 04:45:55 EDT
I think we've got this pretty much nailed in rawhide -- see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for docs.

Note You need to log in before you can comment on or make changes to this bug.