[Rpm-metadata] RFE: auto processing of XML files in repodata/ ?

seth vidal skvidal at fedoraproject.org
Thu Jan 31 07:06:48 UTC 2008


On Fri, 2008-01-25 at 09:13 +0000, Piete Brooks wrote:
> > auto-adding the files is somewhat of a security hang up.
> 
> :-((
> 
> > It means if anyone can write anything to the repodata dir
> 
> ... just the once ...
> 
> > then those files will continue being propagated w/o my knowing it
> 
> ... assuming the processing is automatic, or you don't read the output 
> carefully

Then why not just script the modifyrepo lines if the process is
automatic?


> >> 1) include any .xml[.gz] file which is mentioned in the old repomd.xml
> >> 2) include any .xml[.gz] file in the old repodata/
> 
> I take it that those two are ruled out.

more likely than not, yes

> 
> >> 3) do (1) or (2) if a command line flag is passed to createrepo (-a ?)
> 
> Would you be happy with that? The default remains that extra files are 
> ignored, but if the user explicitly asks "do auto process all XMLs", it will 
> do (1)?

perhaps.


> I don't see a config file, so no way to tailor it per site.
true - a config file would be a bit odd for something as
instance-specific as createrepo.


> > If you feel like sending a patch I'd definitely take a look.
> 
> I write perl rather than python. I can (just about) read python, but I suspect 
> you'd not want anything I wrote in it!
> 
> Any use if I wrote in perl or comments the sort of thing I was after?

yah - perl wouldn't be all that helpful.

-sv





More information about the Rpm-metadata mailing list