* Jan Kupec <jkupec@suse.cz> [Jul 31. 2008 16:07]:
Klaus Kaempf wrote:
* Jan Kupec <jkupec@suse.cz> [Jul 31. 2008 15:44]:
But first things first: if we are going to log the origin of packages (vendor, repo, etc..). We should first clarify what will be the *purpose* of this 'origin' data. What do we want to accomplish with this.
To unambiguously identify which package was installed/updated/removed.
OK. What about the *vendor* and the package *signing key* plus the *checksum* then? Such triple should not be fake-able.
I guess the checksum is sufficient to identify the package exactly. The information in the log is about package identity, not about package validity.
It should also serve as a 'rollback' information, if one must revert an update.
But that would be possible only until the original packages stay in the repository, or?
Either in the repository or a mirror or the package cache. If an admin wants to rollback, its his responsibility to provide 'backup copies'. The log information only helps him to find the right copy. Klaus -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org