Re: Blockers of apt 0.6, not related to signature verification

To: Florian Weimer <fw@deneb.enyo.de>
Cc: deity@lists.debian.org
Subject: Re: Blockers of apt 0.6, not related to signature verification
From: Michael Vogt <mvogt@acm.org>
Date: Thu, 17 Feb 2005 15:37:24 +0100
Message-id: <[🔎] 20050217143724.GA2208@top.ping.de>
In-reply-to: <[🔎] 878y5n47ty.fsf@deneb.enyo.de>
References: <[🔎] 87psyz8ncg.fsf@deneb.enyo.de> <[🔎] 20050217134111.GE32522@top.ping.de> <[🔎] 878y5n47ty.fsf@deneb.enyo.de>

On Thu, Feb 17, 2005 at 02:47:05PM +0100, Florian Weimer wrote:
> * Michael Vogt:
> >> are you aware of any issues that would, in your opinion, make it
> >> infeasible to let apt 0.6 enter testing at this stage, apart from open
> >> questions surrounding the Release signature verification (and general
> >> reservations towards anything which might delay a release)?
> >
> > The only problem I see is that the changes are not transparent for the
> > frontends (aptitude, synaptic, gnome-apt). They need to be updated and
> > tested as well. 
> 
> Sorry for being dense.  Do you mean the impact of other changes
> besides archive signing on the frontends, or do you refer solely to
> the fallout from archive signing?

Sorry for not explaining it a bit better.

There are nearly no other changes other than the signing stuff in
apt-0.6. So that should be pretty safe :)

> The frontend implications of archive signing are already on my list
> (mainly dealing with new failure modes, I suppose, and maybe dealing
> with key rollover).

Without source code changes, the frontends don't know anything about
signed repositories. Aptitude/Synaptic will happily install anything
without a warning whether it's authenticated or not. But there will be
side-effects: you get a warning in the frontends after a update about
missing/incorrect signatures (only if there are some of course). 

With patched aptitude (or aptitude from experimental) and synaptic
build with --with-apt-authentication there will be warnings when
trying to install unauthenticated packages.

So IMO if apt-0.6 enters sarge we should try to update aptitude as
well (and synaptic but it's not frozen yet, so this shouldn't be a
problem). Otherwise we have a mix of tools that support and not
support the signatures.

There are (AFAIK) no patches for gnome-apt, so it won't know about
signed repositories. And everything that depends on libapt needs to be
recompiled because the ABI changes.

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo

Reply to:

Follow-Ups:
- Re: Blockers of apt 0.6, not related to signature verification
  - From: Daniel Burrows <dburrows@debian.org>
- Re: Blockers of apt 0.6, not related to signature verification
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Blockers of apt 0.6, not related to signature verification
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Blockers of apt 0.6, not related to signature verification
  - From: Michael Vogt <mvo@debian.org>
- Re: Blockers of apt 0.6, not related to signature verification
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Incidencia de virus
Next by Date: Re: Blockers of apt 0.6, not related to signature verification
Previous by thread: Re: Blockers of apt 0.6, not related to signature verification
Next by thread: Re: Blockers of apt 0.6, not related to signature verification
Index(es):
- Date
- Thread