Red Hat Bugzilla – Bug 440060
Authorization to require must depend on whether package is signed by a trusted key
Last modified: 2013-03-05 22:55:11 EST
From bug 439844 comment 1
>  : I don't think PackageKit makes a distinction between what action is used
> if the package is signed by a trusted key vs. not. For the former we should
> allow this by default, for the latter we should require the admin password and
> not allow to retain such authorizations. Richard, Robin?
To elaborate: We need to check for different actions for the two distinct
scenarios in a transaction: 1) all packages are signed by a trusted key; and 2)
some packages are either unsigned or signed by a untrusted key
For 1) we'd default the implicit authorization to "yes" for local users... e.g.
never ask for any password, e.g. JFDI. For 2) we'd require admin authentication.
Is this different from the install-local vs install distinction we already make ?
Or should it replace that one ?
How would packagekit know the packages are signed before the transaction is
being run? at the moment we ask for auth before we start the action, and don't
know they are signed until we get a callback from rpm.
(In reply to comment #2)
> How would packagekit know the packages are signed before the transaction is
> being run? at the moment we ask for auth before we start the action, and don't
> know they are signed until we get a callback from rpm.
But that's "only" a problem with how PackageKit/yum/rpm currently works (note I
didn't say it was easy to solve). So that would need to be fixed - which I why I
haven't marked this as F9Target or F9Blocker but it needs to be fixed for F10.
Probably one solution is a heuristic per repository saying e.g. "packages from
this repo are all signed by this key". Which means you can find out early what
authorization is needed. Now, you need to verify this as well before carrying
out the transaction. Which means checking authorizations a second time and
possibly prompting the user with a password dialog. If the user fails to gain
the authorization you abort the transaction.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
I think we've got this pretty much nailed in rawhide -- see http://www.packagekit.org/gtk-doc/introduction-ideas-transactions.html for docs.