Mailinglist Archive: opensuse-features (542 mails)

< Previous Next >
[openFATE 310233] skip repo update when installing packages with zypper
  • From: fate_noreply@xxxxxxx
  • Date: Fri, 17 Dec 2010 11:09:07 +0100 (CET)
  • Message-id: <feature-310233-17@xxxxxxxxxxxxxx>
Feature changed by: Sascha Peilicke (saschpe)
Feature #310233, revision 17
Title: skip repo update when installing packages with zypper

- Buildservice: Unconfirmed
+ Buildservice: Rejected by Sascha Peilicke (saschpe)
+ reject reason: So the feature was about having a "zypper ref" cronjob
+ and/or triggering a refresh after user login. So far the feature seems
+ to be widely refused as inappropriate. Old feature, no recent activity,
+ I guess closing is ok.
Priority
Requester: Desirable

Requested by: Denny Beyer (lumnis)
Partner organization: openSUSE.org

Description:
When installing a new package with zypper etc. everytime you run
zypper, repos are getting updated and the user has to wait for that
process to be finished. Because a general user needs several extra
repos, this waiting time always seems to be too long.
Why not running 'zypper ref' as a low priority task after startup/time
intervall has passed and give the user immidiate access to zypper to
install a software package?
The picture I have in mind is someone just wants to install a package.

Discussion:
#1: Jan Engelhardt (jengelh) (2010-07-25 13:14:49)
>Because a general user needs several extra repo
 
No he does not.

#2: Denny Beyer (lumnis) (2010-07-25 16:20:28) (reply to #1)
and you are THE general user to have the worlds wisdom to judge that
.... why don't you leave that decision up to openfate users to vote?

#12: Jan Engelhardt (jengelh) (2010-07-26 22:14:57) (reply to #2)
No, I am, bluntly speaking, among those who have to wade through
general users' mess of repos when they post a problem in the forums.

#3: Ned Ulbricht (ned_ulbricht) (2010-07-25 18:13:07)
You don't want someone unknowingly installing a vulnerable package
after a security update has been released.

#4: Denny Beyer (lumnis) (2010-07-25 22:44:32) (reply to #3)
Please explain, I don't see any difference it would make to weather I
wait for zypper or not.

#6: Ned Ulbricht (ned_ulbricht) (2010-07-25 23:10:35) (reply to #4)
Let's take this explanation a little piece at a time.  
 
So first, say there's a package on the DVD, call it foo-1.0-1.i586.rpm
.  Now, since the last time you've refreshed your repos, there's been a
awful security flaw found and patched.  The updates repo has foo-1.1-1.
i586.rpm available.  (Never mind delta rpms, let's keep this simple.)
 
What do you think should happen when you execute....
# zypper install foo
???
 
If libzypp hasn't refreshed the updates repo, how is libzypp supposed
to know that foo-1.1-1.i586.rpm exists? Computer telepathy?  Take a
swing at answering this, please.
 
 

#8: Denny Beyer (lumnis) (2010-07-25 23:23:32) (reply to #6)
>What do you think should happen when you execute....
># zypper install foo
zypper does it's job and installs the latest package, which would be
the patched version. And it knows about it, because I updated the repos
just 10min ago ... or the updater did it after loggin in or the deamon
or what not.
>If libzypp hasn't refreshed the updates repo, how is libzypp supposed
to know that >foo-1.1-1.i586.rpm exists? Computer telepathy?  Take a
swing at answering this, please.
I'm not talking about not to do a refresh at all, but is it really
necessary each time you run zypper? There could still be a switch to
force to update, otherwise like once a day/once after login might be
enough in general.

#10: Ned Ulbricht (ned_ulbricht) (2010-07-26 01:36:30) (reply to #8)
If you yourself want metadata refreshed only once a day,  then you can
already just turn off auto-refresh in all your repos, and start a daily
cron job for zypper -q refresh .  But if you do that, then you're
knowingly assuming the risk that you'll have out-of-date metadata when
you install a package.

#11: Denny Beyer (lumnis) (2010-07-26 21:30:04) (reply to #10)
And what would happen, would that be the case? - The (newer) package
would be installed anyway?
Zypper throughs an exception for not finding the package, I can update
it afterwards and rerun zypper? Zypper tells me to update right away,
as it noticed it's not up-to-date?

#13: Ned Ulbricht (ned_ulbricht) (2010-07-27 00:05:55) (reply to #11)
Well, if you're still running 11.1, with a default KDE desktop, then
you'll probably trigger what seems like a relatively benign bug.   It's
somewhat annoying, but only somewhat annoying, so I haven't been
motivated enough to find the time to report it.  Chances are the bug is
PackageKit-0.3.11-1.14.1 .  Under some circumstances, it doesn't seem
to honor autorefresh=0 .   Anyhow, if you configure kupdateapplet to
use the ZYpp Plugin instead of the PackageKit Plugin, you'll work
around the bug.  Alternatively, kill kupdateapplet and just use zypper
--that's another workaround for the bug.   Or if you're running
something newer than 11.1, then you could try and reproduce it, and
file a bug report.   I have 11.2 here too, but that's in production use
as DNS and DHCP and doesn't run a desktop.
 
So anyhow, why don't you just check it out and see what happens?

#5: Stefanos Kotsonis (kotsonis) (2010-07-25 22:57:27) (reply to #3)
Agreed, but those are going to show up on the desktop via the updater
applet.
The idea of having zypper keeping itself refreshed via a daemon makes a
lot of sense to me.

#7: Ned Ulbricht (ned_ulbricht) (2010-07-25 23:19:48) (reply to #5)
How big of a vulnerability window do you want?
 
I normally back off to repo.refresh.delay = 60 in /etc/zypp/zypp.conf
.  I wouldn't recommend that as a default.  But it's convenient for me,
and I know I put that value in there, so it doesn't surprise me.
 
Compare that hour to refreshing metadata in the background every
hour.  How much bandwidth do you want to spend?   The load gets heavier
if leave the default at 10 minutes.

#9: Denny Beyer (lumnis) (2010-07-25 23:31:18) (reply to #7)
Let me ask a question that might sound silly to some more knowledgable
people: Whould that situation change, would the server send out a
notification to registered users once the repo has been updated? Like a
broadcast message service - or twitter - if you like, and zypper would
keep reading those messages for something interesting to it? So it's
not the user requestion each and every time that information you run
zypper, but the servers is sending it only if a status changed.



--
openSUSE Feature:
https://features.opensuse.org/310233

< Previous Next >
This Thread
  • No further messages