Hi all, Recently I've updated one of my machines from 10.0 to 10.1; obviously the main problem has been the problematic libzypp update. I have an instalation and update mirrors in my LAN (and a packman repository mirror too); both are really updated everyday via rsync. So, my idea about zen-update problem was "ok, no problem, I put the path of local YOU mirror and go on" but... not. The problem was really easy but hard to find out: now, the YOU mirrors are added from "Change installation sources". So, ¿why? I think the previous method (add the repositories in YOU interface itself) was more clear. Another question ¿why the YaST package manager shows me an error from packman repository about the security of it? And, one more and last question ¿Is there some way to deinstall zen-updater without libraries dependencies? TIA. -- Jordi Espasa Clofent Linux user id 332494 #http://counter.li.org/ PGP id 0xC5ABA76A #http://pgp.mit.edu/ FSF Associate Member id 4281 #http://www.fsf.org/
On Mon, Jul 17, 2006 at 08:32:04AM +0200, Kunael wrote:
Hi all,
Recently I've updated one of my machines from 10.0 to 10.1; obviously the main problem has been the problematic libzypp update.
I have an instalation and update mirrors in my LAN (and a packman repository mirror too); both are really updated everyday via rsync. So, my idea about zen-update problem was "ok, no problem, I put the path of local YOU mirror and go on" but... not.
The problem was really easy but hard to find out: now, the YOU mirrors are added from "Change installation sources". So, ¿why? I think the previous method (add the repositories in YOU interface itself) was more clear.
Installation and Update sources are now handled the same way, so normal Installation will install also the latest security update, or the updater will install new / changed dependencies of packages.
Another question ¿why the YaST package manager shows me an error from packman repository about the security of it?
Because it is not cryptographically signed. This means that you cannot ensure that an attacker has modified it (on the ftp site) to install exploits your machine or similar.
And, one more and last question ¿Is there some way to deinstall zen-updater without libraries dependencies?
Well zen-updater can be deinstalled just fine, you likely want to deinstall zmd too... (which might have more dependencies.) Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
Installation and Update sources are now handled the same way, so normal Installation will install also the latest security update, or the updater will install new / changed dependencies of packages.
Ok; indeed, it's a good reason. But I think this info not appears in Release Notes file. I know it's a minor change, but possibly others users don't know it (as me, of course :P) Maybe will be good idea to include that info in the Release Notes file.
Because it is not cryptographically signed. This means that you cannot ensure that an attacker has modified it (on the ftp site) to install exploits your machine or similar.
¿Can the packman admins signs their packages? I think packman repositories have prestige enough for that. I don't see any reason to don't make it.
Well zen-updater can be deinstalled just fine, you likely want to deinstall zmd too... (which might have more dependencies.)
;) -- Jordi Espasa Clofent Linux user id 332494 #http://counter.li.org/ PGP id 0xC5ABA76A #http://pgp.mit.edu/ FSF Associate Member id 4281 #http://www.fsf.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kunael wrote:
Installation and Update sources are now handled the same way, so normal Installation will install also the latest security update, or the updater will install new / changed dependencies of packages.
Ok; indeed, it's a good reason. But I think this info not appears in Release Notes file. I know it's a minor change, but possibly others users don't know it (as me, of course :P) Maybe will be good idea to include that info in the Release Notes file.
Because it is not cryptographically signed. This means that you cannot ensure that an attacker has modified it (on the ftp site) to install exploits your machine or similar.
¿Can the packman admins signs their packages? I think packman repositories have prestige enough for that. I don't see any reason to don't make it.
It's not a question of "prestige", but
1) it has been done 100% behind the curtain and not advertised by the
SUSE staff until it was implemented and released (and no easy
path/instructions offered to do it for 3rd party repository maintainers)
2) better contact the Packman team directly: packman@links2linux.de
cheers
- --
-o) Pascal Bleser http://linux01.gwdg.de/~pbleser/
/\\
It's not a question of "prestige", but
1) it has been done 100% behind the curtain and not advertised by the SUSE staff until it was implemented and released (and no easy path/instructions offered to do it for 3rd party repository maintainers)
2) better contact the Packman team directly: packman@links2linux.de
Ok Pascal, I'll be aware of it. Thanks for the explanation. -- Jordi Espasa Clofent Linux user id 332494 #http://counter.li.org/ PGP id 0xC5ABA76A #http://pgp.mit.edu/ FSF Associate Member id 4281 #http://www.fsf.org/
On Sat, Jul 22, 2006 at 10:55:32AM +0200, Pascal Bleser wrote:
Kunael wrote:
Installation and Update sources are now handled the same way, so normal Installation will install also the latest security update, or the updater will install new / changed dependencies of packages.
Ok; indeed, it's a good reason. But I think this info not appears in Release Notes file. I know it's a minor change, but possibly others users don't know it (as me, of course :P) Maybe will be good idea to include that info in the Release Notes file.
Because it is not cryptographically signed. This means that you cannot ensure that an attacker has modified it (on the ftp site) to install exploits your machine or similar.
�Can the packman admins signs their packages? I think packman repositories have prestige enough for that. I don't see any reason to don't make it.
It's not a question of "prestige", but
1) it has been done 100% behind the curtain and not advertised by the SUSE staff until it was implemented and released (and no easy path/instructions offered to do it for 3rd party repository maintainers)
Because it was only planned and started 1 week before addition. - YUM repos are trivial to sign. - Old style YaST repos similar. Both were documented clearly and obviously on time and there is nothing actually stopping you to use it right now. http://opensuse.org/Secure_Installation_Sources So stop spreading misinformed guesses. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org
participants (3)
-
Kunael -
Marcus Meissner -
Pascal Bleser