Mailinglist Archive: opensuse-buildservice (311 mails)

< Previous Next >
Re: [opensuse-buildservice] Unique vendors per repository are a must and the current setup is a timebomb / security hole
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Thu, 26 Nov 2009 06:22:25 +0100
  • Message-id: <200911260622.25463.adrian@xxxxxxx>
Am Donnerstag, 26. November 2009 05:50:09 schrieb Adrian Schröter:
Am Donnerstag, 26. November 2009 03:53:32 schrieb Stephan Kleine:
Proposed solution:

1. Feel free to use the same key to sign different (sub)repositories (as
it is now) if the "trustlevel" is the same.

2. Use _unique_ vendors per repository so one is able to say "I want
PackageX only from RepositoryY and nowhere else." which is currently
_not_ possible.

Vendor is saying "who" is publishing something. So it makes absolut no
sense to have different vendors below home:adrianSuSE, because it is
always me. (at least by default).

Just to add this, if we enforce different vendors for each project, setups
like the "released packages from project X" and updates from project Y are not
possible anymore (or at least not without OBS administrator overwrite rights).
This is used for example in openSUSE:11.2 and openSUSE:11.2:Update.

Other examples are openSUSE:Tools which contain the stable packages and
openSUSE:Tools:Unstable which just contain some replacements for testing.

If you would manually override only to use some packages of :Unstable but
ignore some others this is not a use case which is intended by us project



Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >