Hi folks. In https://bugzilla.novell.com/show_bug.cgi?id=503276 Michael asked me to take my issue to the mailing list so I'm gonna present my case here: My problem is that currently a repositories' "vendor" apparently is bound to its pgp key which IMHO is a timebomb cause of zypp's "vendor stickiness" cause it does currently consider every repository that gets signed with the same key as the same "vendor". Now consider the following usecase: 1. There are repos A:Foo and A:Bar. 2. Since A:Foo & A:Bar use the same pgp key they also use the same vendor. 3. A:Foo contains Package1 and unstable svn snapshots of Package2 4. A:Bar contains Package2 and unstable svn snapshots of Package1 Now I want to install Package1 from A:Foo and Package2 from A:Bar and I don't want to install their respective svn copies. So I have to specify for every package which repository to use but this wont work cause both use the same vendor cause they use the same pgp key. It was suggested to use repository priorities but this doesn't work either in that case because the stable / unstable (svn) stuff is in the other repo. That theoretical setting aside it also makes using OBS with zypp kinda russian roulette cause there's no way to foresee when someone will publish a newer binary in some sub repository (that uses the same vendor cause it gets signed by the same pgp key) and then gets me updated to that newer version in a different repo _which I do not want_! So this also introduces a pretty severe security hole IMHO. IOW: I consider it absolutely mandatory to be able to say I want to get PackageX _only_ from RepositoryY and _nowhere_ else which currently is _not_ possible. Other thoughts: 1. I agree that using the same pgp key to sign different (sub)repositories makes sense cause the "trustlevel" is the same. 2. I totally disagree that linking the signing pgp key to the repositories vendor is a good idea cause the trustlevel (pgp key) simply is a different thing than the state of the repo from which I would like to get a certain package. 3. Manually setting the vendor in the prjconf is no option cause I'm not able to do that on the public OBS and there are far too many repos to write everyone an email and to ask him / her to set an unique vendor. Proposed solution: 1. Feel free to use the same key to sign different (sub)repositories (as it is now) if the "trustlevel" is the same. 2. Use _unique_ vendors per repository so one is able to say "I want PackageX only from RepositoryY and nowhere else." which is currently _not_ possible. Possible Implementation: 1. Use the pgp keys as you use them currently. 2. Assign an _unique_ vendor to every existing repository and generate unique vendors for all new repos. Final conclusion: 1. I consider being able to say "I want PackageX only from RepositoryY and nowhere else." absolutely mandatory but this is currently _not_ possible with zypp. 2. This could easily be changed by using unique vendors per repository on OBS. 3. I honestly fail to see why you argue soo much against using unique vendors per repository. So please either tell me a solution that solves the above described usecases or change the public OBS configuration so unique vendors per repository are used. best, Stephan. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org