status of up2date and rhn-applet
ihok at hotmail.com
Sun Nov 27 15:25:11 UTC 2005
Jeff Spaleta wrote:
> That's not so easy to determine... if you have package foo-1 from extras
> and then extras pushes foo-2 and cleans out foo-1 from its directory
> at some point. And then crappyrpms.org pushes foo-3... how does yum
> know the foo-1 package you have installed is from extras?
It shouldn't matter that foo-1 got cleaned out from the repo, so long as
on the user's system foo-1 got upgraded to foo-2.
That is, extras pushes foo-2, it's from the same repo as foo-1, so it's
a "safe" upgrade. Then pooptastic pushes foo-3, and that triggers a
conflict (perhaps a conflict of gpg signatures).
> You could implement a check against a change in signature... but the
> worth of that is somewhat limited as well. for example I don't think
> packages in updates-testing are signed with a different key than
> updates-released so you just checking a change in signature doesn't
> catch i change in repo.
Well, it'd be a bit of a hack, but so what. Why not use different keys
to sign different repos? It's a small (one-time) price, but it buys
really useful functionality. Would it break anything?
But even if you check against a change in signature /without/ having
different keys for released vs testing, you've still eliminated the
pooptastic repo badness. That's a win.
More information about the devel