****Re: Yum public keys -
Craig White
craigwhite at azapple.com
Fri Nov 17 14:53:54 UTC 2006
On Fri, 2006-11-17 at 09:43 -0500, Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bob Goodwin wrote:
> > I worked around the problem by installing
> > libid3tag-0.15.1b-3.fc6.rf.i386.rpm and lame from
> > "http://ftp.riken.go.jp/pub/Linux/dries/fedora/fc6/i386/RPMS.dries/"
> > with the repective rpm's.
> >
> > Yum is easy if it works but installing from rpm's is less complicated
> > when there's a problem such as this.
>
> I'd argue that yum does work well in almost all cases, but it does
> require that the repositories that it's pulling from are setup
> properly. Much of this needs to be done by the repo maintainers,
> though there is some work that needs to be done by users. It's
> important not to enable repos that aren't designed to play nice
> together. I stick with Core, Extras, and Livna because they are
> designed to work together. Adding Dries, FreshRPMS, or other rpmforge
> repos sometimes conflict with things in core, extras, or livna.
>
> The workaround above may have saved you some head scratching, but it
> circumvented an important security check. Yum was complaining because
> it could not verify the integrity of the package via its GPG
> signature. Installing manually you skipped that check. How would you
> know if that package was trojaned?
>
> Installing packages manually that have problems in yum could also make
> it difficult for yum to do its job in the future by introducing
> packages that have dependencies outside of the repos that yum knows
> about.
>
> The better solution (to me) would be to find out why installing
> audacity from extras was trying to pull in a libid3tag package other
> than the one available in extras[1]. There is a repo in your
> configuration that is not installed correctly/completely. A properly
> configured repo would make its key available so that when you try to
> install a package from that repo and need the key installed, it can
> prompt you and install that key.
>
> [1] http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/libid3tag-0.15.1b-3.fc6.i386.rpm
----
I think that you have every reason to expect dries/matthias/dag/aka
rpmforge packages to be fully compatible with fedora core/extras/updates
packages. There is overlap between the rpmforge packages and livna and
typically the the rpmforge packages are newer than the livna packages
which can sometimes present a problem when you have libraries from livna
installed as opposed to coming from extras and a newer version of the
requiring package in an rpmforge repo.
Some of the tactics that can be used to help when you want livna and
rpmforge repos...
- use smart
- set rpmforge/dries/matthias/livna to 'enabled = no' and then use
--enablerepo=livna or --enablerepo=rpmforge when you want to get one of
the 'optional packages'
Craig
More information about the fedora-list
mailing list