[Bug 503276] New: Different vendors for different repositories
http://bugzilla.novell.com/show_bug.cgi?id=503276 Summary: Different vendors for different repositories Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: BuildService AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: bitdealer@gmail.com QAContact: adrian@novell.com Found By: --- Could you please be so kind to change your scripts so different OBS repositories have a different / unique vendor? The reasoning is that the zypp folks claim that "vendor stickiness" should be enough but it doesn't really help if the whole OBS is one single vendor. Personally I would prefer some "Smart" style where I am able to set different priorities for repositories __as well as packages__ but since this wont happen the only solution seems to be to enable different vendors per repository on OBS. E.g. simply use the repo names - home:bitshuffler for my own one or openSUSE:Factory or KDE:KDE4:Communtiy and so on. The reasoning is that I would like to be able to get packages for some application from a certain repository. Now, if I use some other repository for some reason that provides the same package I get switched to the other version without being able to prevent that (since all those repos have the same "vendor") which is, IMHO, simply not acceptable in quite a few settings. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mls@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User mls@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c1 --- Comment #1 from Michael Schröder <mls@novell.com> 2009-05-13 02:53:36 MDT --- The problem is that this change needs a big announcement, as otherwise people will complain that 'zypper up' suddenly stopped to update their packages. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c2 --- Comment #2 from Stephan Kleine <bitdealer@gmail.com> 2009-05-14 13:54:17 MDT --- Agreed, that might be quite some change (albeit late might be better than never). Anyways, how about we start to do that from Factory / 11.2 on? That way it should be an automatic transition and doesn't confuse anyone. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User cmorve69@yahoo.es added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c3 Cristian Morales Vega <cmorve69@yahoo.es> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cmorve69@yahoo.es --- Comment #3 from Cristian Morales Vega <cmorve69@yahoo.es> 2009-07-01 18:33:00 MDT --- Probably a better Vendor name would be prepending "openSUSE Build Service": "openSUSE Build Service (home:bitshuffler)", "openSUSE Build Service (KDE:KDE4:Communtiy)", etc. That way if someone wants the old behavior he could just create a file at /etc/zypp/vendors.d/ with [main] vendors=openSUSE Build Service ..well, I'm 99% about this. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User aj@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c4 Andreas Jaeger <aj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |mls@novell.com --- Comment #4 from Andreas Jaeger <aj@novell.com> 2009-08-12 06:36:33 MDT --- Can we do this once we switch to 11.2 as separate distribution? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User aj@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c5 Andreas Jaeger <aj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|mls@novell.com |adrian@novell.com --- Comment #5 from Andreas Jaeger <aj@novell.com> 2009-08-12 06:37:35 MDT --- Adrian, what do you suggest? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c6 --- Comment #6 from Stephan Kleine <bitdealer@gmail.com> 2009-08-26 09:39:11 MDT --- This has nothing to do with forking of 11.2 because it is the exact same issue with Factory. Simply do it for Factory ASAP and then of course also for all future releases (e.g. 11.2) but don´t do it for already released versions (e.g. 11.1) to avoid the problems Michael explained in #1. For factory it shouldn´t matter because people normally use dup instead of up there anyways which doesn´t block vendor changes. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User mls@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c7 Michael Schröder <mls@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|adrian@novell.com | Resolution| |FIXED --- Comment #7 from Michael Schröder <mls@novell.com> 2009-09-15 07:52:24 MDT --- Yes, now fixed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c8 Stephan Kleine <bitdealer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #8 from Stephan Kleine <bitdealer@gmail.com> 2009-10-05 01:29:59 MDT --- Reopening cause it is still broken. E.g. "trac" from the "devel:tools:scm" repo has as vendor obs://build.opensuse.org/devel:tools which should be obs://build.opensuse.org/devel:tools:scm See rpm -qp --queryformat "%{VENDOR} \n" http://download.opensuse.org/repositories/devel:/tools:/scm/openSUSE_Factory... Another example: "kde3-amarok" from the "KDE:Backports" repo has as vendor obs://build.opensuse.org/KDE instead of obs://build.opensuse.org/KDE:Backports See rpm -qip --queryformat "%{VENDOR} \n" http://download.opensuse.org/repositories/KDE:/Backports/openSUSE_10.3/i586/... My point is that _every_ repository has to have an _unique_ vendor, otherwise one isn't able to specify that a package should come from that _1_ repo and nowhere else which will lead to trouble sooner or later. Proposed resolution: Simply use the _whoole_ repository name as vendor string without cutting the last part of. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User mls@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c9 Michael Schröder <mls@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #9 from Michael Schröder <mls@novell.com> 2009-10-05 02:59:47 MDT --- It's working like designed, it doesn't simply cut of the last part. It uses the same key as the vendor as for signing the packages. If you want a different vendor, create a different key. You can also overwrite the vendor setting in the project configuration. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User adrian@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c10 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #10 from Adrian Schröter <adrian@novell.com> 2009-10-18 23:50:04 MDT --- After discussing with bitshuffler on IRC: The problem here might be that it breaks the vendor stickyness concept of zypper. For example when I have home:adrianSuSE with my stable releases and home:adrianSuSE:SVN-SNAPSHOT, the trust should be the same, because it is always me, so it is okay to use just one gpg key. But having one vendor for both projects would lead to the situation that it is not predictable if zypper stays with one of the repos for a package on update. So, I would consider to set the vendor to the building project, but not to the gpg key project. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User adrian@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c11 Adrian Schröter <adrian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |dmacvicar@novell.com --- Comment #11 from Adrian Schröter <adrian@novell.com> 2009-10-18 23:52:57 MDT --- Alternative, maybe better solution would be, if zypp would stick to repos, instead of to Vendors. Duncan, any opinion from you ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User adrian@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c12 --- Comment #12 from Adrian Schröter <adrian@novell.com> 2009-10-19 00:02:24 MDT --- Maybe do it both, first to try to stick to vendor and secondly also to the repo. This would be a straight forward development without becoming incompatible. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c13 --- Comment #13 from Stephan Kleine <bitdealer@gmail.com> 2009-10-19 00:13:59 MDT --- The only objection I have to Adrians comment #10 is that any compromisation of e.g. his home:adrianSuSE key also will compromise any of its subprojects - e.g. home:adrianSuSE:SVN-SNAPSHOT so using an unique key per repository is more secure. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User adrian@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c14 --- Comment #14 from Adrian Schröter <adrian@novell.com> 2009-10-19 00:23:47 MDT --- if my home key is compromised, it is very likely that the other is also (and maybe all of OBS). Keys representing the people (groups), not their current intended work. So, if adrianSuSE from home:adrianSuSE steals your money and installs backdoors on your system, the adrianSuSE from :SVN is doing the same most likely. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c15 --- Comment #15 from Stephan Kleine <bitdealer@gmail.com> 2009-10-19 01:43:22 MDT --- *** Bug 544524 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=544524 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 User cmorve69@yahoo.es added comment http://bugzilla.novell.com/show_bug.cgi?id=503276#c16 --- Comment #16 from Cristian Morales Vega <cmorve69@yahoo.es> 2009-10-19 01:49:30 MDT --- I suppose the repo thing can be done *now* since now there is http://en.opensuse.org/Libzypp/Package_History. But if I have to trust the wiki the repo is identified by the alias. Perhaps bnc#377568 should be fixed first. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c17 Duncan Mac-Vicar <dmacvicar@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED CC| |dmacvicar@novell.com Info Provider|dmacvicar@novell.com | --- Comment #17 from Duncan Mac-Vicar <dmacvicar@novell.com> 2009-11-24 12:27:46 UTC --- I think the gpg key should be the same for sub projects. The vendor is not. The repo can't be unique identified, so it is not used for this comparison. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c18 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #18 from Christian Boltz <suse-beta@cboltz.de> 2009-11-24 23:26:36 CET --- (In reply to comment #17)
I think the gpg key should be the same for sub projects.
You want the same key for devel:*? ;-) Well, but I get your point. This could really be useful if implemented as a prjconf option: [x] inherit GPG key to subprojects (not sure if the subprojects need an option "don't use key from parent" ;-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c19 --- Comment #19 from Duncan Mac-Vicar <dmacvicar@novell.com> 2009-11-25 09:18:49 UTC --- Well, what I mean is that the gpg key could be the same, if the trust of the repositories is the same. At least this is true for home:user:subprojects. If it is the same you have to deal with the consequence that you are trusting the whole sub-tree of repositories. For the vendor, yes, it may be the same as well, but it should not. If vendor is the same and a repo has chromium the browser and a subtree has chromium the game, they are threated as the same package. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c20 Michael Schröder <mls@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |CLOSED Resolution| |FIXED --- Comment #20 from Michael Schröder <mls@novell.com> 2009-11-25 10:24:51 UTC --- I'm closing this bug as the implementation works as designed. Users who want different vendors for each subproject can do this in their project config. If you want to discuss this feature, please take it to the mailing list. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c21 Stephan Kleine <bitdealer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED | --- Comment #21 from Stephan Kleine <bitdealer@gmail.com> 2009-11-25 11:04:49 UTC --- Reopening cause the solution is not acceptable. I don't care if you use different keys per project (I changed my mind in that regard and now agree with Adrian that it makes sense if some sub projects share the same key) but it is absolutely mandatory that every single project uses a different vendor since otherwise it is absolutely impossible to enforce that a package is only installed from a certain repository if repositories have the same vendor thanks to zypps vendor stickiness (which sadly enough wont change). Also "Users who want different vendors for each subproject can do this in their project config." might work fine for a build service that is totally under my control but it surely doesn't work for the public OBS and, probably quite understandable, I wont start writing every project owner a mail asking to do this. So the only sensible solution is to get rid of the pgp key <-> vendor link, generate unique vendors for all existing projects and generate unique vendors automatically for all new projects. Until that happens using zypp & OBS is a time bomb that will blow right in ones face sooner or later so please change your configuration. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c22 --- Comment #22 from Stephan Kleine <bitdealer@gmail.com> 2009-11-25 11:07:13 UTC --- And just to prevent any misunderstanding: I couldn't care less about the implementation details. My problem simply is that the current configuration of OBS just begs for trouble. Only if getting rid of the pgp key <-> vendor link means you have to change the implementation then so it be. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c23 --- Comment #23 from Michael Schröder <mls@novell.com> 2009-11-25 12:58:25 UTC --- Please take this to the mailing list. Just reopening this bug wont convince me to change the code. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c24 --- Comment #24 from Stephan Kleine <bitdealer@gmail.com> 2009-11-25 13:58:58 UTC --- Well, then think about how to solve the following with the current setup of the _public OBS_: Project A:Foo contains Package1 (stable release) and Project A:Bar contains Package1 (svn snapshots, most time broken). Further A:Bar contains Package2 which I want to install as well. So we have the following situation: 1. Project A:Foo and A:Bar share the same key and therefore currently have the same vendor. 2. I want Package1 _only_ from A:Foo since the version in A:Bar is most times broken. 3. I also need to add Project A:Bar since it contains Package2 which I want to install as well. So how am I supposed to force zypp now to get Package1 only from A:Foo and not to constantly switch to the broken versions in A:Bar (which is newer but broken)? I honestly fail to see why it should be taken to the mailing lists and what there is to discuss since it is currently impossible and therefore obviously broken. And no, IMHO, writing people an email to ask them to please use separate vendors is no option since there are too many repos on OBS and the problem can arise out of nowhere as soon as someone adds some package somewhere. Also this problem would not exist if you would simply use unique vendors per repository. So, with all due respect, until you can come up with a solution for the above usecase _on the public OBS_ I dare to say that either the implementation or the configuration currently is broken and needs to be fixed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c25 --- Comment #25 from Michael Schröder <mls@novell.com> 2009-11-25 14:05:14 UTC --- Either use repo priorities or configure different vendors in the macro section of your projects' configurations (osc meta prjconf). I would use repo prios, as in that case 'zypper dup' (which ignores vendors) still works. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=503276 http://bugzilla.novell.com/show_bug.cgi?id=503276#c26 --- Comment #26 from Stephan Kleine <bitdealer@gmail.com> 2009-11-25 14:28:36 UTC --- Well, editing the prjconf is no option cause the repos aren't under my control and using repo priorities wont work anymore if there's a package that is in both repos and which I would like to get only from A:Bar. OTOH if you would use unique vendors the problem wouldn't exist in the first place. Seriously, what is your problem with unique vendors per repository? As in why are you arguing that hard that this problem doesn't exist cause imho it is a pretty major one that turns zypp & OBS into a timebomb? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=503276 https://bugzilla.novell.com/show_bug.cgi?id=503276#c27 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |bitdealer@gmail.com --- Comment #27 from Christian Boltz <suse-beta@cboltz.de> 2012-07-01 19:16:53 CEST --- I just stumbled over this ancient bug - does this problem still exist? The current situation seems to be: - Vendor: contains the parent project (home:cboltz) - Distribution: contains the exact subproject (home:cboltz:something) Now the interesting question is if zypper reads Vendor: or Distribution: ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=503276 https://bugzilla.novell.com/show_bug.cgi?id=503276#c28 --- Comment #28 from Michael Schröder <mls@suse.com> 2012-07-02 08:39:18 UTC --- Vendor contains the project used for signing the packages, so if you create a special key in your sub-project, it will be used as vendor instead of the parent. Zypper uses "Vendor". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com