On Mon, Sep 08, 2003 at 04:02:46PM -0600, Jason Gunthorpe wrote: > Any sort of query during install isn't going to work so well without much > bigger changes. Mostly this has to do with the way multiple instances of > the same package are handled, the various origins are not uniquified and > it cannot retain the md5sum information to figure out what makes sense. > > So even though it says it's coming from a secure source because one > instance is listed as secure it may very well decide to download and > verify it from an insecure one. I haven't the faintest clue about how > you'd go about fixing this.
Hmm...where in the code does this magic happen? I suppose it could be changed to consider a package to be coming from an insecure source if any of the available origins are insecure, and sidestep the problem that way. I don't think this will be much a problem in practice, since sources having the same packages available will typically also have the same Release, same signature, etc. -- - mdz
