[Yum-devel] A new ctrl-c gotcha/regression
Panu Matilainen
pmatilai at laiskiainen.org
Mon Feb 14 20:47:32 UTC 2011
On 02/14/2011 10:08 PM, seth vidal wrote:
> On Mon, 2011-02-14 at 21:47 +0200, Panu Matilainen wrote:
>> If we forget about rpm 4.6 - 4.7 (ie just let them behave like 4.4.x
>> does), in newer versions you can use your own keyring without ever
>> touching the rpmdb for keys if you want to - for example pulling the
>> keys pointed to by .repo files into a keyring and telling rpm to use
>> that instead of what might be in the rpmdb. It's just that wedging this
>> kind of new stuff into yum while maintaining yum's api compatibility,
>> rpm 4.4.x compatibility and without adding large sections of differing
>> codepaths causing even more pain, is not always exactly trivial.
>>
>
> what kind of keyring is this? A normal gpg pubring + trustdb or rpm's
> keyring-in-a-db?
It's an in-memory construct with no backing store (at least currently),
and while rpm by default uses gpg-pubkey's from the rpmdb to populate it
behind the scenes, you can populate it from whatever source you want, it
eats ascii-armored GPG keys. Eg
>>> import rpm
>>> kr = rpm.keyring()
>>> key =
rpm.pubkey(file("/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-primary").read())
>>> kr.addKey(key)
0
>>> ts = rpm.TransactionSet()
>>> ts.setKeyring(kr)
True
...and that transaction set will never go to the rpmdb for signature
checking.
Or you can grab the default rpmdb keyring into memory (eg early on when
you are accessing rpmdb anyway) and then use it later on to avoid having
to load stuff from rpmdb again, eg
>>> ts = rpm.TransactionSet()
>>> kr = ts.getKeyring()
>>> del ts
>>> ots = rpm.TransactionSet()
>>> ots.setKeyring(kr)
True
It's a pretty primitive API but does allow the thing it was pretty much
created for: signature checking without accessing the rpmdb. So you
could check signatures while downloading, without ctrl-c issues (it also
eliminated some nasty recursion from rpm internals but that's another
story) and allow the keys to come from other sources than rpmdb. That
the gpg-pubkey "packages" are still actually used by default is more of
an "internal implementation detail", although changing that is going to
be a tricky and slow process because various things, yum included,
actually expect to find them there.
- Panu -
More information about the Yum-devel
mailing list