> On Sat, 2003-10-04 at 09:18, Paul Dickson wrote: > Thinking about this a bit more, how about instead of a user configured > config directory, how about /var/cache/yum/conf/ for holding downloaded > configs hmm.. If we do this I would suggest that it work along the same lines as the rest of yum. e.g. includes are pulled each time (or checked for newness and then pulled) and the cached directory is used when in -C mode. In fact, this would be a must for remote includes to work in cache-only mode. Maybe urlgrabber will do all the heavy lifting for me here =) > New changes to a downloaded config are announced, perhaps with a "diff -u" nice. probably too much for the avg user though? > and there be [main] entries > listing the remote configs that are allow to download other remote configs. One thing to keep in mind is that includes are preprocessed. i.e. include= lines are handled specially before the config is truly parsed in order to construct one large config file for a ConfigParser. This leaves us with a chicken/egg situation where the include= preprocessor doesn't truly have the config like the rest of the app does (not that it's impossible to get to the values it just would add a significant amount of code to do so that is already handled nicely by ConfigParser). So, at this point, specifying values in the config file for the preprocessor is a bit daunting. I think seth was pretty adamant about not crossing that bridge. > As for recursion, save the full pathname (or unique filename) of each > included file along with the number of times it has been included. Recursion is handled in the patch. Sorry, it did look like I was asking for help on that too in my original post. > The values under [main] should not be set or changed by included files. This has been suggested further down the thread as well. I'll take a look at how we might be able to restrict included files from setting certain values but, IMO, the values with the most potential for destruction are the repository values (gpgcheck, baseurl). > The only remote config file in yum's shipped rpm should be commented out > with a note mentioning the security implications. Yea, I can't think of a file we would be including remotely out of the box. I doubt we'll even go as far as having a commented line in the default yum.conf. Probably would do to leave this to the man page. It would keep the default conf clean and also would hopefully increase the chances of the user reading any notices about security concerns. > I hope this message provides some ideas for implementation. Absolutely. Thanks a ton. I'll start logging these suggestions to bugzilla. - Ryan
