Mailinglist Archive: opensuse-buildservice (311 mails)

< Previous Next >
Re: [opensuse-buildservice] Unique vendors per repository are a must and the current setup is a timebomb / security hole
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Fri, 27 Nov 2009 11:05:12 +0100
  • Message-id: <200911271105.12659.adrian@xxxxxxx>
Am Donnerstag, 26. November 2009 11:05:00 schrieb Stephan Kleine:
On Thursday 26 November 2009 08:27:32 you wrote:
Am Donnerstag, 26. November 2009 08:09:27 schrieb Stephan Kleine:
On Thursday 26 November 2009 05:50:09 you wrote:
Am Donnerstag, 26. November 2009 03:53:32 schrieb Stephan Kleine:
...
Your very special use case is to have multiple repos added with
alternative packages added, but you want to keep older packages in
some cases from some repos in some case.

I neither want older packages nor is it some special case IMHO.

All I want is a way that allows me to define to get package X only from
repo Y and nowhere else.

Yes and this would be actually a feature request for your installer tool
to support this.

With all due respect but that is somehow ridiculous.

IMHO the whole purpose of a package manger is to install stuff while
resolving dependencies.

Now please ask around how many people would consider it naturally if their
package manager switches from one repo to the other without them being
unable to prevent this.

Or IOW how many people would consider it a "feature" that heir package
management only installs stuff from the repo they originally added and
nowhere else.

I dare to claim that my assumption is shared by the majority and therefore
it's not a feature but a bug of the current setup.

The problem here is that our dependencies are usually not enough to keep the
package manager deciding this.

A usual packager (like me) is not thinking about the dependencies to this
degree.

For example, when I move a init script from obs-server to obs-api, this would
mean that I would have to add new dependincies to the packages, which protects
the user to mix obs-api from openSUSE:Tools:Unstable with the obs-server from
openSUSE:Tools for example.

So this mean, a packager would always need to rethink all combinations and
can't rely on the fact to ask the users to run "zypper update" or whatever.

Also our spec files would look quite messy with all this needed
Provides/Requires of the time.

So, I think our defaults are very well choosen. By default neither the
packager nor the user needs to think about these kinds of problems. And when
the packager/project owner wants it, he needs to set the vendor in the project
config and he need to rethink all possible combinations of his packages with
the other project(s).

So, you want manual mix package versions and override package manage
decisions. I can currently not imagine how this can be a valid
usecase.

No. All I want to have is a way that allows me to say that a package
sticks with the repository from which I installed it from. This neither
involves manual changes, overriding package management decisions or
whatever but merely ensuring that the package management doesn't bite
me in the ass as soon as I don't look after every single package
update.

It is overriding the project owner decisions.

No. I just want to install stuff from the repo I originally added and not
from somewhere else.

yes, but you are anyway overriding the defaults ;)
...

So, to sum that up once again:

I want a way that allows me to say to get PackageX only from RepoY and
nowhere else without switching it to some other repo just cause it happens
to get signed by the same pgp key.

okay, but you should know that you override the project owner defaults.
Therefore such a feature belongs to the client (and I think it should warn to
use it). At least the user needs to be aware of the fact that is doing
something special.

bye
adrian

--

Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >