[yum-git] plugins/tmprepo

James Antill james at linux.duke.edu
Fri Jul 25 16:08:40 UTC 2008


 plugins/tmprepo/tmprepo.conf |    7 ++++--
 plugins/tmprepo/tmprepo.py   |   50 ++++++++++++++++++++++++++++++++++---------
 2 files changed, 45 insertions(+), 12 deletions(-)

New commits:
commit dc7958219611f7e2058a7ae13697dc76259dea79
Author: James Antill <james at and.org>
Date:   Fri Jul 25 12:07:23 2008 -0400

    Merge the gpgcheck upstream config. changes into tmprepo

diff --git a/plugins/tmprepo/tmprepo.conf b/plugins/tmprepo/tmprepo.conf
index f5e3b83..a3d51ef 100644
--- a/plugins/tmprepo/tmprepo.conf
+++ b/plugins/tmprepo/tmprepo.conf
@@ -1,5 +1,8 @@
 [main]
 enabled=1
-# You can uncomment this to allow tmporary repositories to disable/alter
+#  You can uncomment this to allow tmporary repositories to disable/alter
 # gpg checking. This is not recommended.
-# gpgcheck=false
+#  You might want to use remote_gpgcheck=packages, but if you do understand
+# what the security implications are.
+# remote_gpgcheck=repository
+# local_gpgcheck=packages
diff --git a/plugins/tmprepo/tmprepo.py b/plugins/tmprepo/tmprepo.py
index 7d3daeb..845cfc4 100644
--- a/plugins/tmprepo/tmprepo.py
+++ b/plugins/tmprepo/tmprepo.py
@@ -39,12 +39,33 @@ plugin_type = (TYPE_INTERACTIVE,)
 
 def make_validate(log, gpgcheck):
     def tvalidate(repo):
-        if gpgcheck:
-    
-            # Don't allow them to set gpgcheck=False
-            if not repo.gpgcheck:
+        if gpgcheck.lower() not in ('false', 'no', '0'):
+
+            if gpgcheck.lower() not in ('packages', 'pkgs',
+                                        '1', 'yes', 'true',
+                                        'repo', 'repository'):
+                log.warn("GPGcheck set to unknown value: %s" % gpgcheck)
+                return False
+
+            if repo.gpgcheck not in ('packages', 'true', 'repo'):
+                log.warn("Repo %s GPGcheck set to unknown value: %s" %
+                         (repo, gpgcheck))
+                return False
+
+            # Don't ever allow them to set gpgcheck='false'
+            if repo.gpgcheck == 'false':
                 log.warn("Repo %s tried to set gpgcheck=false" % repo)
                 return False
+
+            # Now do the more complicated comparisons...
+            if (gpgcheck.lower() in ('packages', 'pkgs', '1', 'yes', 'true') and
+                repo.gpgcheck == 'repo'):
+                log.warn("Repo %s tried to set gpgcheck=repository" % repo)
+                return False
+            if (gpgcheck.lower() in ('repository', 'repo', '1', 'yes', 'true') and
+                repo.gpgcheck == 'packages'):
+                log.warn("Repo %s tried to set gpgcheck=packages" % repo)
+                return False
             
             # Don't allow them to set gpgkey=anything
             for key in repo.gpgkey:
@@ -96,7 +117,7 @@ def add_dir_repo(base, trepo, cleanup):
 name=Tmp. repo. for %(path)s
 baseurl=file:%(dname)s
 enabled=1
-gpgcheck=1
+gpgcheck=packages
 metadata_expire=0
 #  Make cost smaller, as we know it's "local" ... if this isn't good just create
 # your own .repo file. ... then you won't need to createrepo each run either.
@@ -117,12 +138,15 @@ cost=500
     AutoCleanupDir("%s/%s" % (base.conf.cachedir, repoid))
     return tmp_fname
 
-def add_repos(base, log, tmp_repos, tvalidate, cleanup_dir_temp):
+def add_repos(base, log, tmp_repos, tvalidate, tlocvalidate, cleanup_dir_temp):
     """ Add temporary repos to yum. """
     # Don't use self._splitArg()? ... or require URLs without commas?
     for trepo in tmp_repos:
         if trepo.startswith("/"):
             trepo = "file:%s" % trepo
+        validate = tvalidate
+        if trepo.startswith("file:"):
+            validate = tlocvalidate
         if trepo.startswith("file:") and trepo.endswith("/"):
             if not os.path.isdir(trepo[len("file:"):]):
                 log.warn("Failed to find directory " + trepo[len("file:"):])
@@ -139,19 +163,21 @@ def add_repos(base, log, tmp_repos, tvalidate, cleanup_dir_temp):
                 log.warn("Failed to retrieve " + trepo)
                 continue
 
-        base.getReposFromConfigFile(fname, validate=tvalidate)
+        base.getReposFromConfigFile(fname, validate=validate)
         added = True
 
     # Just do it all again...
     base.setupProgressCallbacks()
 
-my_gpgcheck = True
+rgpgcheck = 'repo' # Remote 
+lgpgcheck = 'packages'
 def config_hook(conduit):
     '''
     Yum Plugin Config Hook: 
     Add the --tmprepo option.
     '''
-    global my_gpgcheck
+    global rgpgcheck
+    global lgpgcheck
     global def_tmp_repos_cleanup
     
     parser = conduit.getOptParser()
@@ -166,7 +192,10 @@ def config_hook(conduit):
     parser.add_option("--tmprepo-keep-created", action='store_true',
                       dest='tmp_repos_cleanup', default=False,
                       help="keep created direcotry based tmp. repos.")
-    my_gpgcheck = conduit.confBool('main', 'gpgcheck', default=True)
+    #  We default to repository for actual repo files, because that's the most
+    # secure, but packages for local dirs./files
+    rgpgcheck  = conduit.confString('main', 'remote_gpgcheck', default='repo')
+    lgpgcheck = conduit.confString('main', 'local_gpgcheck', default='packages')
     def_tmp_repos_cleanup = conduit.confBool('main', 'cleanup', default=False)
 
 _tmprepo_done = False
@@ -187,4 +216,5 @@ def prereposetup_hook(conduit):
     log = logging.getLogger("yum.verbose.main")
     add_repos(conduit._base, log, opts.tmp_repos,
               make_validate(log, my_gpgcheck),
+              make_validate(log, my_dgpgcheck),
               not (opts.tmp_repos_cleanup or def_tmp_repos_cleanup))



More information about the Yum-cvs-commits mailing list