[Yum] Qs regarding Yum plugin

[James Antill]

Creative Innovative <innovative_c at yahoo.com> writes:

> Hi All,
>  
> I have been using Yum for last 6 months, for basic stuff, like installing/upgrading 
> packages.Now I am in the process of writing a Yum plugin, so still trying to get a handle on it.
>  
> For what I need to do, in def posttrans_hook, 
> 1) take the transaction object, and look at the list of packages that were installed/upgraded/removed.
> 2) Check to see if each package install/package upgrade meets security criteria.
> NOTE::I HAVE TO INSTALL/UPGRADE PACKAGES, BEFORE RUNNING SECURITY CRITERIA.SO THATS WHY THIS CHECK COMES IN POSTTRANS_HOOK.
> 3) If any of the package does NOT meet that criteria, I need to undo
> the package install/package upgrade.

 This is a really bad idea, you want your depsolving criteria to be
based on metadata. If you have criteria that is not exposed via. any
of the current metadata files, you could create another metadata DB
and use that in pretrans.
 If you try this "update and then remove on failure" approach you'll
have a bunch of problems:

1. yum/yum-updatesd/yum-cron/whatever will constantly update and then
remove the package.

2. If something goes wrong before you get to your removal code,
everything is already installed.

3. Even if #2 never happens, they'll be a vulnerability window where
the bad packages are installed each time an update happens.

4. If you are dealing with an update and not an install, you need to
do a downgrade ... this is impossible in the general case, including
deps. and obsoletes ... you _will_ fail (or, to put it another way
... if you think you didn't fail, please contact us so you can
implement a downgrade() method in yum core :).


 But if you want to ignore that advise you can look at how the
post-transaction-actions plugin works.

-- 
James Antill -- james at and.org