Description of problem: To "work around" BZ 529349 a recent PK patch _silently_ disables any remote repos. which can't be reached. This means that if a user tells PK to "install FOO" where FOO-1 was in Fedora 11 GA, and had a security bug in it, and FOO-2 is in updates ... PK could now silently install FOO-1. This is somewhat mitigated due to yum's behaviour of only throwing the error in bug 529349 when it has no repodata for a repo. and can't reach it. So the security problem is mostly limited to new installs and people who have done "yum clean all" type operations. Version-Release number of selected component (if applicable): http://kojipkgs.fedoraproject.org/packages/PackageKit/0.5.4/0.1.20091029git.fc12/ Which contains the upstream patch: commit 17cf7c2bfadef59690c0c96a6af18ae2fb3430a2 Author: Richard Hughes <richard> Date: Tue Oct 20 15:47:36 2009 +0100 yum: disable repos that are not contactable diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py index 8632e53..5625089 100755 --- a/backends/yum/yumBackend.py +++ b/backends/yum/yumBackend.py @@ -2667,6 +2667,13 @@ class PackageKitYumBackend(PackageKitBaseBackend, Package continue repo.metadata_expire = 60 * 60 * 1.5 # 1.5 hours, the default + # disable repos that are not contactable + for repo in self.yumbase.repos.listEnabled(): + try: + repo.repoXML + except yum.Errors.RepoError, e: + self.yumbase.repos.disableRepo(repo.id) + # should we suggest yum-complete-transaction? unfinished = yum.misc.find_unfinished_transactions(yumlibpath=self.yumb
This isn't a security bug. I've talked with Seth about this. I've talked to Matthias about this. It's crazy to prevent any installs if a single repo is not available. And from a real-life-point-of-view... when the last time fedora was available but not updates? I think you're making a mountain out of a molehill.
What is the plan here? Will PK get some warning pop-up to notify users when some repo is disabled? Should this remain private for now, given what's already in public bug 529349?
Well, we could pop up a warning, although I think that would get pretty irritating and we've been trying to reduce the number of popups on the desktop, not make them happen every few minutes. I really don't think this bug should be private, or even marked as a security bug.
This reminds me of the security bug yum got dinged on last year. Essentially, we need to tell users and make sure they understand when things are inaccessible and that could be keeping them from getting security updates. Silently disabling and continuing just means they won't know what they are not getting.
Opening this bug.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
commit aa7a41e1e9bde3848885c07c9feb59325c229743 Author: Richard Hughes <richard> Date: Tue Jan 5 09:49:38 2010 +0000 yum: show a message to the user if the repo could not be reached. Fixes rh#531838
PackageKit-0.5.6-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/PackageKit-0.5.6-1.fc12
PackageKit-0.5.6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.