[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Steve Sakoman
steve at sakoman.com
Tue Jan 31 00:37:36 UTC 2012
On Mon, Jan 30, 2012 at 3:56 PM, Saul Wold <sgw at linux.intel.com> wrote:
> On 01/30/2012 03:29 PM, Steve Sakoman wrote:
>>
>> On Mon, Jan 30, 2012 at 2:13 PM, Saul Wold<sgw at linux.intel.com> wrote:
>>
>>> This would imply that we need to have a GPLv2 Version of the gnupg
>>> recipe also, Steve if you had to look at or handle the newer GPLv3 gnupg
>>> code itself, you may not be able to write the GPLv2 recipe or create
>>> patches
>>> for it, can you arrange for someone to create that patch?
>>
>>
>> OE-classic has a recipe for gnupg-1.4.10, so perhaps the safest
>> approach would be to import that recipe since I *have* browsed the
>> gnupg v2 code.
>>
> You mean v3 code no doubt.
No, I did mean GnuPG V2 code, which is GPLv3 :-) Yeah, confusing with
all these v's flying around!
>> I know from experience that signed repositories won't work for that
>> version as-is. Zypper explicitly uses gpg2.
>>
> Any idea how much work there is there? Do you know of anyone that can help
> out with this?
I'll take a look at patches for zypper to use GnuPG v1 (which is GPLv2 ;-) )
>> It *may* be that gpg and gpg2 are compatible enough that you could get
>> away with a symlink and a v1.x version of gnupg. Or perhaps one could
>> patch zypper to try gpg if gpg2 isn't present. Thoughts?
>>
> I think it would be clearer if we patch zypper for gpg instead of hiding
> behind a symlink. Other tools that may want to use gpg2 might get the wrong
> thing.
>
> Another possibility would be disable signed repos for non-GPLv3, but I am
> not wild about that idea since it's highly likely that a commercial vendor
> would want to provide signed repos in a non-GPLv3 device for security and
> sanity.
Agreed.
Steve
More information about the Openembedded-core
mailing list