Fedora review
Karsten Wade
kwade at redhat.com
Fri Jul 22 18:55:35 UTC 2005
On Fri, 2005-07-22 at 13:51 -0400, Jeff Spaleta wrote:
> On 7/22/05, Karsten Wade <kwade at redhat.com> wrote:
> > Instead of a package, could repos make their details available via RSS
> > feeds? You would past an RSS URL into the GUI tool and it would pull
> > down the latest details.
>
> Ugh.. horrid. You are asking a gui that has to be run by root to
> scrape configs out of an rss feed. Can you even provide a signed
> payload that way? Seems to me you are just re-inventing the wheel
> here. Just pull down a package and install it. Advertising "package
> links" via rss feeds is a good idea... but encoding the actual configs
> into an rss feed is not a good way to do this. At the end of the
> day.. you are installing config files that really should be managed by
> the rpm system just like what the fedora-release package does right
> now in Core....which means installing updates via a package. We do it
> for fedora-release, we should encourage 3rd parties to use the same
> mechanism. rpm -V is a good thing.. lets not invent something that
> shortcircuits the ability to verify that the configs you have are
> really the configs you are expected to have.
Sure, that makes sense. I was just looking for something that was
better than "type it in by hand". A feed would be moderately better at
this. But, yeah, it sucks for security. I didn't think the idea
through for all implications.
> > something, they wouldn't have to roll and release a new package. The
> > GUI could check for repo updates daily, weekly, whatever.
>
> Yeah we could provide all of files from all packages via an rss feed
> instead of via rpms.
> I'm really not seeing the advantage of providing a new mechanism to
> drop configs into a system. Can't people just advertise links to rpms
> in the rss feed and have the gui scrape for packages to install?
I feel end users might be confused by the idea of installing and
updating a package in order to have the latest information on where
packages are. But that is probably small minded of me. :) Otherwise,
your shoot down of my idea is correct -- the security would be horrid
and a reinvention. :)
It might help to make fedora-announce-list available as an RSS feed,
then ask repo packagers to advertise their updates there.
- Karsten
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-marketing-list/attachments/20050722/35d41ca7/attachment.sig>
More information about the Fedora-marketing-list
mailing list