On 02/14/2011 10:08 PM, seth vidal wrote:
On Mon, 2011-02-14 at 21:47 +0200, Panu Matilainen wrote:
If we forget about rpm 4.6 - 4.7 (ie just let them behave like 4.4.x
does), in newer versions you can use your own keyring without ever
touching the rpmdb for keys if you want to - for example pulling the
keys pointed to by .repo files into a keyring and telling rpm to use
that instead of what might be in the rpmdb. It's just that wedging this
kind of new stuff into yum while maintaining yum's api compatibility,
rpm 4.4.x compatibility and without adding large sections of differing
codepaths causing even more pain, is not always exactly trivial.
what kind of keyring is this? A normal gpg pubring + trustdb or rpm's
keyring-in-a-db?
It's an in-memory construct with no backing store (at least currently),
and while rpm by default uses gpg-pubkey's from the rpmdb to populate it
behind the scenes, you can populate it from whatever source you want, it
eats ascii-armored GPG keys. Eg
>>> import rpm
>>> kr = rpm.keyring()
>>> key =
rpm.pubkey(file("/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-primary").read())
>>> kr.addKey(key)
0
>>> ts = rpm.TransactionSet()
>>> ts.setKeyring(kr)
True
...and that transaction set will never go to the rpmdb for signature
checking.
Or you can grab the default rpmdb keyring into memory (eg early on when
you are accessing rpmdb anyway) and then use it later on to avoid having
to load stuff from rpmdb again, eg
>>> ts = rpm.TransactionSet()
>>> kr = ts.getKeyring()
>>> del ts
>>> ots = rpm.TransactionSet()
>>> ots.setKeyring(kr)
True
It's a pretty primitive API but does allow the thing it was pretty much
created for: signature checking without accessing the rpmdb. So you
could check signatures while downloading, without ctrl-c issues (it also
eliminated some nasty recursion from rpm internals but that's another
story) and allow the keys to come from other sources than rpmdb. That
the gpg-pubkey "packages" are still actually used by default is more of
an "internal implementation detail", although changing that is going to
be a tricky and slow process because various things, yum included,
actually expect to find them there.
- Panu -
_______________________________________________
Yum-devel mailing list
[email protected]
http://lists.baseurl.org/mailman/listinfo/yum-devel
