Re: [pkg-discuss] [review] fixes for bugs 17961, 17968
On 03/ 8/11 06:11 PM, Shawn Walker wrote: On 03/ 8/11 06:03 PM, Danek Duvall wrote: Shawn Walker wrote: http://cr.opensolaris.org/~swalker/pkg-17961/ image.py: - line 1922: why is this "or" and not "and"? How can you verify signatures if there are none, even if the signature policy is not ignore? Or is it just that in the case that one or the other is false, the operation will be safe and quick? (Same holds for similar code in pkgplan.) There's a subtle nuance in behaviour here that I should probably add in the comment. The behaviour is that by going through the signature verification for the 'ignore' case, the cert data will be cached so that if they later decide to verify the package, or change the image policy to 'verify', the signature data will already be there. Sorry, just realised I left one question unanswered. It is possible to set a signature policy that requires all packages be signed. So if there are no signatures, then verifying the signatures will fail. -Shawn ___ pkg-discuss mailing list pkg-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
Re: [pkg-discuss] [review] fixes for bugs 17961, 17968
Hi Shawn, On Thu, 2011-03-03 at 15:24 -0800, Shawn Walker wrote: > 17961 pkg verify aborts if a package from a removed publisher is installed > 17968 pkg uninstall fails when conflicting packages are retained from > removed publisher > > webrev: > http://cr.opensolaris.org/~swalker/pkg-17961/ This looks good to me. The only thing that might help, is to also test that 'pkg verify' does indeed still find errors on packages whose publisher has been disabled or removed, as opposed to perhaps just silently succeeding, and not detecting errors. cheers, tim ___ pkg-discuss mailing list pkg-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
Re: [pkg-discuss] [review] fixes for bugs 17961, 17968
On 03/ 8/11 06:03 PM, Danek Duvall wrote: Shawn Walker wrote: http://cr.opensolaris.org/~swalker/pkg-17961/ image.py: - line 1922: why is this "or" and not "and"? How can you verify signatures if there are none, even if the signature policy is not ignore? Or is it just that in the case that one or the other is false, the operation will be safe and quick? (Same holds for similar code in pkgplan.) There's a subtle nuance in behaviour here that I should probably add in the comment. The behaviour is that by going through the signature verification for the 'ignore' case, the cert data will be cached so that if they later decide to verify the package, or change the image policy to 'verify', the signature data will already be there. - line 1924: why compute sig_pol again? Thinko. -Shawn ___ pkg-discuss mailing list pkg-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
Re: [pkg-discuss] [review] fixes for bugs 17961, 17968
Shawn Walker wrote: > http://cr.opensolaris.org/~swalker/pkg-17961/ image.py: - line 1922: why is this "or" and not "and"? How can you verify signatures if there are none, even if the signature policy is not ignore? Or is it just that in the case that one or the other is false, the operation will be safe and quick? (Same holds for similar code in pkgplan.) - line 1924: why compute sig_pol again? Thanks, Danek ___ pkg-discuss mailing list pkg-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
