Re: ****Re: Yum public keys -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2006-11-17 at 09:43 -0500, Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Bob Goodwin wrote:
> > I worked around the problem by installing 
> > libid3tag-0.15.1b-3.fc6.rf.i386.rpm and lame from 
> > "http://ftp.riken.go.jp/pub/Linux/dries/fedora/fc6/i386/RPMS.dries/"; 
> > with the repective rpm's.
> >
> > Yum is easy if it works but installing from rpm's is less complicated 
> > when there's a problem such as this.
> 
> I'd argue that yum does work well in almost all cases, but it does
> require that the repositories that it's pulling from are setup
> properly.  Much of this needs to be done by the repo maintainers,
> though there is some work that needs to be done by users.  It's
> important not to enable repos that aren't designed to play nice
> together.  I stick with Core, Extras, and Livna because they are
> designed to work together.  Adding Dries, FreshRPMS, or other rpmforge
> repos sometimes conflict with things in core, extras, or livna.
> 
> The workaround above may have saved you some head scratching, but it
> circumvented an important security check.  Yum was complaining because
> it could not verify the integrity of the package via its GPG
> signature.  Installing manually you skipped that check. How would you
> know if that package was trojaned?
> 
> Installing packages manually that have problems in yum could also make
> it difficult for yum to do its job in the future by introducing
> packages that have dependencies outside of the repos that yum knows
> about.
> 
> The better solution (to me) would be to find out why installing
> audacity from extras was trying to pull in a libid3tag package other
> than the one available in extras[1].  There is a repo in your
> configuration that is not installed correctly/completely.  A properly
> configured repo would make its key available so that when you try to
> install a package from that repo and need the key installed, it can
> prompt you and install that key.
> 
> [1] http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/libid3tag-0.15.1b-3.fc6.i386.rpm
----
I think that you have every reason to expect dries/matthias/dag/aka
rpmforge packages to be fully compatible with fedora core/extras/updates
packages. There is overlap between the rpmforge packages and livna and
typically the the rpmforge packages are newer than the livna packages
which can sometimes present a problem when you have libraries from livna
installed as opposed to coming from extras and a newer version of the
requiring package in an rpmforge repo.

Some of the tactics that can be used to help when you want livna and
rpmforge repos...

- use smart

- set rpmforge/dries/matthias/livna to 'enabled = no' and then use
--enablerepo=livna or --enablerepo=rpmforge when you want to get one of
the 'optional packages'

Craig


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux