[Rpm-maint] [rpm-software-management/rpm] rpm 4.20.0 alpha fallout #1 : urpmi --no-verify is broken by rpm checking on its own (Issue #3142)

soig notifications at github.com
Thu Jun 6 12:51:33 UTC 2024


So there's two issues, so I'll use 2 parts :

**Updating/reimporting a pubkey:**
Stupid question but : how can one remove a key from rpmdb (through the API, not using rpm -e) ?
we've rpmtsImportPubkey() but no remove or refresh API.
There's also rpmKeyringAddKey() but no RemoveKey().

Currently the URPM C binding uses rpmtsImportPubkey() https://gitweb.mageia.org/software/rpm/perl-URPM/tree/URPM.xs#n3363
(called from the perl interface : https://gitweb.mageia.org/software/rpm/perl-URPM/tree/URPM/Signature.pm#n82)

➡️ **_I guess I'll have to run a small transaction removing the offending key before importing._**
I don't see anything else ?
WDYT?

**Urpmi --no-verify**
By default (unless one uses --no-verify), urpmi first checks packages
http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/main_loop.pm#n527
before doing the actual installation:
http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/main_loop.pm#n544

The actual installation basically means we run a series of transactions here http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/install.pm#n352
my $trans = $db->create_transaction;
$trans->check
$trans->order
$trans->run
Which are defined in URPM binding : https://gitweb.mageia.org/software/rpm/perl-URPM/tree/URPM.xs#n2770 : respectively rpmtsCheck(), rpmtsOrder() and rpmtsRun()

But before installing, as said above, unless using --no-verify, we'll do some tests : http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/main_loop.pm#n129
which really happens here: http://gitweb.mageia.org/software/rpm/urpmi/tree/urpm/signature.pm#n40
For each package we call verify_signature() which is there in the URPM binding: https://gitweb.mageia.org/software/rpm/perl-URPM/tree/URPM.xs#n3306 where we use rpmReadPackageFile() to check each package file.

So at this point we already checked the pkgs for signatures.
If in interactive mode (either CLI or GUI) we ask the user if he wants to abort and force the installation.
Previously, this worked fine, but now rpmlib checks again the pkgs after we already did it and it doesn't know that the user actually said "frak this, install anyway".

So I think that in urpmi context, we want to prevent rpmlib to check again the pkgs since we already did it.
➡️ _**Does passing RPMPROB_FILTER_VERIFY would be enough to achieve this**_ when calling rpmtsRun()?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3142#issuecomment-2152344536
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3142/2152344536 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240606/90722854/attachment.html>


More information about the Rpm-maint mailing list