http://bugzilla.novell.com/show_bug.cgi?id=544524 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544524#c1 --- Comment #1 from Stephan Kleine 2009-10-05 20:37:25 MDT --- Last but not least what I forgot to mention is that the current situation simply violates the "trust principle". E.g. I might trust the devel:tools repo (for the sake of having an example) but that necessarily doesn't mean I truest every subproject of it but since all its subprojects are signed with the same key I implicitly trust them as well although I never choose to do so. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=544524 User adrian@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544524#c2 Adrian Schröter changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Severity|Critical |Enhancement --- Comment #2 from Adrian Schröter 2009-10-13 01:36:23 MDT --- All top level projects are using a different repo key. It is up to the project owners if they want to use on own one or not (there is an api call for creating or removing a key per project). Yes, there is osc and web client support missing for this, so I will turn this into a feature request for it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=544524 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544524#c3 Stephan Kleine changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Support project key |Use unqiue keys / vendors |management in osc | Severity|Enhancement |Critical --- Comment #3 from Stephan Kleine 2009-10-13 03:04:50 MDT --- Well, I don't really care if there is osc or web client support (calling the api with curl is fine with me as well) but my problem is that most repositories are outside of my control. E.g. (to stick with the devel:tools:* example) I can't configure devel:tools:scm to use another key than devel:tools cause I'm not the project owner. In other words: it is great that the build service supports generating new keys on demand but as long as more than one project has the same vendor it screws over zypp's vendor stickiness and therefore the configuration has to be changed because not being able to say "I want package A from repo X and not from Y (while X & Y use the same vendor / key) is simply not acceptable cause it's a sure road to hell sooner or later. Stuff like KDE:* might be an example where it makes sense to have the same key to make users life easier but it's more an example of an exception IMHO. Therefore changing it to a bug again. Please change the OBS configuration or convince the zypp folks that their vendor stickiness concepts is abysmal (to say it politely). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=544524 User bitdealer@gmail.com added comment http://bugzilla.novell.com/show_bug.cgi?id=544524#c5 Stephan Kleine changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |adrian@novell.com --- Comment #5 from Stephan Kleine 2009-10-13 08:45:40 MDT ---

we have the Vendor and the key domain bind together since some weeks. Means the vendor is set based on where the key comes from.

Right. That improves the situation compared to one vendor for all repositories but still is far from perfect cause of zypps retarded package handline that relies on vendors.

If you want to create bugs, than please assign them to the project owners.

The bug is, IMHO, the current configuration of OBS that uses the same key / vendor for more than one repository which then makes it impossible to say "I want package X from repo A but not from B" if A & B use the same key / vendor. Also, do you really think that filing bugs against most of the non home repos so their owners request an unique key makes more sense than simply switching some default config for newly created projects and then iterating over the project tree to change it for existing ones? I humbly dare to disagree. Last but not least I fail to see what your problem might be with using unique keys per repository? You have to accept it once per key (which costs like 2 seconds more time) but therefore you have the peace of mind that your package isn't switched to some random other repository that happens to use the same key in which another, newer, version might show up that you do NOT want to install. So, what problem do you see with using unique keys per repository? As in what prevents your from switching over from the current setup to unique keys to prevent zypps vendor stickiness from screwing one over? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.