[OE-core] [PATCH 1/2] lib/oe/package_manager.py (rpm): Signature check is enabled by default

Mon Oct 2 13:09:25 UTC 2017

Alexander,

On Mon, Oct 2, 2017 at 8:01 AM, Alexander Kanavin
<alexander.kanavin at linux.intel.com> wrote:
> On 10/02/2017 01:00 AM, Otavio Salvador wrote:
>
>>> NAK both patches, I'm afraid. gpgcheck and repo_gpgcheck are two
>>> different
>>> options, which control different things, and you thoroughly confused them
>>> here.
>>
>>
>> I did test both patches and this is not what I figured. Did you test it?
>
>
>>> Again, 'gpcheck' option has nothing to do with verifying signed package
>>> feeds. NAK.
>>
>>
>> Oh really? so tell me why it fixed my error?
>>
>> Without this patch I need to use:
>>
>> dnf install --nogpgcheck <pkg>
>>
>> and it is sub-optimal as I did not enabled signed support.
>
> Oe-core has support for two different things:
>
> 1. Signing and verifying individual package files. This feature is
> controlled by RPM_SIGN_PACKAGES option in build configuration and dnf's
> gpgcheck config file option at runtime.
>
> 2. Signing and verifying repository metadata. This feature is controlled by
> PACKAGE_FEED_SIGN option and repo_gpgcheck config file option respectively.
>
> The above two things are completely orthogonal, and can be enabled and
> disabled independently of each other. Now please look at your patches
> keeping this in mind.
>
> I assure you, both of the patches are incorrect. Exactly why is left as an
> exercise for the reader.

I assure you I did test both patches. I leave as an exercise to you to
show me what it breaks.

Also, keeping "exercises" for contributors is not something which
helps to gather more contributions. It solved the dnf install
requirement for my test and seems to be the right thing to do. I may
be missing something but please point it or give me a case test.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750