Jeff Spaleta wrote:
That's not so easy to determine... if you have package foo-1 from extras and then extras pushes foo-2 and cleans out foo-1 from its directory at some point. And then crappyrpms.org pushes foo-3... how does yum know the foo-1 package you have installed is from extras?
It shouldn't matter that foo-1 got cleaned out from the repo, so long as on the user's system foo-1 got upgraded to foo-2.
That is, extras pushes foo-2, it's from the same repo as foo-1, so it's a "safe" upgrade. Then pooptastic pushes foo-3, and that triggers a conflict (perhaps a conflict of gpg signatures).
You could implement a check against a change in signature... but the worth of that is somewhat limited as well. for example I don't think packages in updates-testing are signed with a different key than updates-released so you just checking a change in signature doesn't catch i change in repo.
Well, it'd be a bit of a hack, but so what. Why not use different keys to sign different repos? It's a small (one-time) price, but it buys really useful functionality. Would it break anything?
But even if you check against a change in signature /without/ having different keys for released vs testing, you've still eliminated the pooptastic repo badness. That's a win.
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
