On Wed, May 5, 2021 at 11:55 AM Qiyu Yan <yanqiyu@xxxxxxxxxxxxxxxxx> wrote: > > 在 2021-05-05星期三的 07:44 +0200,Dan Čermák写道: > > przemek klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes: > > > > > Is that something we need to worry about? I couldn't think of any new > > > rules to impose on repositories, but maybe dnf should have more > > > explicit > > > warnings when it sees multiple versions of the same package, or at > > > least > > > a way to show such versions. > > > > Or how about teaching dnf that only certain repositories are allowed to > > be used for updates (with an allowedlist for exceptions)? Then > > microsoft > > or any other third party repo could put hello-5000-1 into their repo > > and > > it could never compromise your system, as dnf would not consider the > > 3rd > > party repo a valid update repo for a base system package. > > > > That would require dnf to track where it got the package from though > > and I am not sure if it does that at the moment? > This reminds me of an idea named Vendor Change from Zypper of openSUSE > https://en.opensuse.org/SDB:Vendor_change_update > This approach seems to solve our problems here? Well, we do have the sticky vendor feature in DNF, DNF on openSUSE has it switched on by default[1]. If we want to have this feature turned on in Fedora, we could look at having it switched on. [1]: https://build.opensuse.org/package/view_file/openSUSE:Factory/libdnf/libdnf-0.55.0-Switch-allow_vendor_change-off.patch?expand=1 -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
