status of up2date and rhn-applet

Jack Tanner ihok at
Sun Nov 27 15:25:11 UTC 2005

Jeff Spaleta wrote:
> That's not so easy to determine...  if you have package foo-1 from extras
> and then extras pushes foo-2  and cleans out foo-1 from its directory
> at some point. And then pushes foo-3... how does yum
> know the foo-1 package you have installed is from extras?

It shouldn't matter that foo-1 got cleaned out from the repo, so long as 
  on the user's system foo-1 got upgraded to foo-2.

That is, extras pushes foo-2, it's from the same repo as foo-1, so it's 
a "safe" upgrade. Then pooptastic pushes foo-3, and that triggers a 
conflict (perhaps a conflict of gpg signatures).

> You could implement a check against a change in signature... but the
> worth of that is somewhat limited as well. for example I don't think
> packages in updates-testing are signed with a different key than
> updates-released so you just checking a change in signature doesn't
> catch i change in repo.

Well, it'd be a bit of a hack, but so what. Why not use different keys 
to sign different repos? It's a small (one-time) price, but it buys 
really useful functionality. Would it break anything?

But even if you check against a change in signature /without/ having 
different keys for released vs testing, you've still eliminated the 
pooptastic repo badness. That's a win.

More information about the devel mailing list