On Wed, Jun 11, 2008 at 7:25 AM, mpb <[EMAIL PROTECTED]> wrote:
> Hi gobo-devel,
>
> I just installed GoboRootless in a new account, and I have the
> following questions/comments.
>
> 1) Atool is no longer required? I seem to remember that
> CreateRootlessEnvironment used to tell me to "Compile Atool". This
> time it did not. If Atool is no longer required, the following page
> could be updated:
As Hisham said, it's only used in ContributeRecipe, and then only when
you pass it a tarball (and that only because the skeleton was copied
from PutRecipe; it doesn't seem like a hugely useful feature for
ContributeRecipe), so it isn't necessary to have it at all. I've just
updated ContributeRecipe to use the new archive code now that it's
been pointed out, so there won't even be that in future.
>
> 2) I also upgraded an old Rootless installation in old account, and
> InstallPackage refused to install new versions of packages as the
> signatures failed to verify. I got the following message:
>
> InstallPackage: Installing Compile, version 1.11.0.
> InstallPackage: Uncompressing to /home/gobo/Programs...
> InstallPackage: Invalid signature. FileHash could not be verified.
> InstallPackage: Suspect package in /home/gobo/Programs/Compile/1.11.0
> InstallPackage: Removing downloaded package
> /tmp/Compile--1.11.0--i686.tar.bz2.
>
> It would be nice if InstallPackage would suggest that I consider
> upgrading Compile (via InstallPackage -S Compile) to get a fresh
> Programs/Compile/1.11.0/Shared/mime-info/Compile.keys file. (I am
> assuming that is the correct file - I had to hunt and guess to get
> things working again.)
It isn't (that's mime data for recipes, for click-and-compile). The
GPG keyring is in Scripts/Data/gpg/goboring.gpg, but the problem is
really that the signature format has changed and old tools are unable
to verify it. If you care about the chain of trust, you need to
upgrade release-by-release. Each release is signed by the previous
one, so you will always be able to verify them that way.
> Additionally, the current (or old?) error message ("Suspect package
> in...") seems to be incorrect as the suspect package is not actually
> installed (unless you specify -S).
>
> Additionally, from a *user* point of view, I think it makes more sense
> for the package signing public keys to be distributed as a part of
> Scripts instead of as a part of Compile, but this is not a big deal.
They are, so we'll check that one off.
> 3) Whenever I upgrade Compile (via InstallPackage Compile) I am told
> that there is a new Compile.conf file, and asked which version I want
> to use. This is always a hassle, as I am never sure whether to use
> the new one (which will forget my compileRecipeAuthor setting), or to
> auto-merge (I don't trust automerges - perhaps I should) or to
> manually edit the files (which is work).
>
> Perhaps Compile.conf could, as a final action, source a
> CompileLocal.conf file? I could then put my settings in
> CompileLocal.conf, and then I could always use the new Compile.conf
> file.
I would like that. You can just source in the /S/S file from under
~/.Settings, but that isn't obvious or really even documented (I
didn't know until I read the code). A local file would be useful.
-Michael
_______________________________________________
gobolinux-devel mailing list
gobolinux-devel@lists.gobolinux.org
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
