[Yum-devel] A new ctrl-c gotcha/regression

Panu Matilainen pmatilai at laiskiainen.org
Mon Feb 14 20:47:32 UTC 2011


On 02/14/2011 10:08 PM, seth vidal wrote:
> On Mon, 2011-02-14 at 21:47 +0200, Panu Matilainen wrote:
>> If we forget about rpm 4.6 - 4.7 (ie just let them behave like 4.4.x
>> does), in newer versions you can use your own keyring without ever
>> touching the rpmdb for keys if you want to - for example pulling the
>> keys pointed to by .repo files into a keyring and telling rpm to use
>> that instead of what might be in the rpmdb. It's just that wedging this
>> kind of new stuff into yum while maintaining yum's api compatibility,
>> rpm 4.4.x compatibility and without adding large sections of differing
>> codepaths causing even more pain, is not always exactly trivial.
>>
>
> what kind of keyring is this? A normal gpg pubring + trustdb or rpm's
> keyring-in-a-db?

It's an in-memory construct with no backing store (at least currently), 
and while rpm by default uses gpg-pubkey's from the rpmdb to populate it 
behind the scenes, you can populate it from whatever source you want, it 
eats ascii-armored GPG keys. Eg

 >>> import rpm
 >>> kr = rpm.keyring()
 >>> key = 
rpm.pubkey(file("/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-primary").read())
 >>> kr.addKey(key)
0
 >>> ts = rpm.TransactionSet()
 >>> ts.setKeyring(kr)
True

...and that transaction set will never go to the rpmdb for signature 
checking.

Or you can grab the default rpmdb keyring into memory (eg early on when 
you are accessing rpmdb anyway) and then use it later on to avoid having 
to load stuff from rpmdb again, eg

 >>> ts = rpm.TransactionSet()
 >>> kr = ts.getKeyring()
 >>> del ts
 >>> ots = rpm.TransactionSet()
 >>> ots.setKeyring(kr)
True

It's a pretty primitive API but does allow the thing it was pretty much 
created for: signature checking without accessing the rpmdb. So you 
could check signatures while downloading, without ctrl-c issues (it also 
eliminated some nasty recursion from rpm internals but that's another 
story) and allow the keys to come from other sources than rpmdb. That 
the gpg-pubkey "packages" are still actually used by default is more of 
an "internal implementation detail", although changing that is going to 
be a tricky and slow process because various things, yum included, 
actually expect to find them there.

	- Panu -


More information about the Yum-devel mailing list