On Sat, Jul 22, 2017 at 05:26:55PM -0400, Neal Gompa wrote: > On Sat, Jul 22, 2017 at 5:11 PM, Zbigniew Jędrzejewski-Szmek > <zbyszek@xxxxxxxxx> wrote: > > On Sat, Jul 22, 2017 at 02:06:42PM -0600, Chris Murphy wrote: > >> On Sat, Jul 22, 2017 at 1:57 PM, Matthew Miller > >> <mattdm@xxxxxxxxxxxxxxxxx> wrote: > >> > On Sat, Jul 22, 2017 at 01:42:11PM -0600, Chris Murphy wrote: > >> >> I don't know what things the unprivileged user can do other than > >> >> search and info. But off hand I'd say an unprivileged user should not > >> >> be able to download metadata. Use one /var/cache/dnf always. And if > >> >> it's stale, just inform the user. Only update the cache if the command > >> >> is issued by root. > >> > > >> > I dunno; what harm is there in giving the ability to use a separate > >> > user cache for queries? This allows you to do things like repoquery as > >> > an unprivileged user for repos that aren't enabled by default. > >> > >> I'm fine with a layered approach, *if* a repo db does not exist for > >> root, then it's OK for a user copy to be downloaded, but how about one > >> for all users to share rather than each user getting a downloaded copy > >> of the same thing? > > > > It'd probably require rearchitecturing the way that caching works. > > Current implementation does the best (maybe ignoring some minor bugs) > > of what is possible in a secure way with unprivileged users in current > > design, but we should be able to do better. Namely, create a polkit-aware > > daemon which will download metadata on demand, and then make root and > > the users forward all metadata download requests to this daemon. > > This would avoid any duplicate downloads, without the need to run > > dnf searches as root. > > > > (Ideally, dnf would also have strong tmpfiles.d policy to clean up all > > caches after ~1 month of unuse, so that if a user requests some repo, > > the disk space is not permanently wasted.) > > > > So... like dnfdaemon, except with less capabilities? Exactly! How do I use dnfdaemon? I only see the raw python and dbus APIS... Are there any plans to make dnfdaemon a primary method of interacting with dnf db? Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
