Fedora review

Karsten Wade kwade at redhat.com
Fri Jul 22 18:55:35 UTC 2005 

On Fri, 2005-07-22 at 13:51 -0400, Jeff Spaleta wrote:
> On 7/22/05, Karsten Wade <kwade at redhat.com> wrote:
> > Instead of a package, could repos make their details available via RSS
> > feeds?  You would past an RSS URL into the GUI tool and it would pull
> > down the latest details.  
> 
> Ugh.. horrid. You are asking a gui that has to be run by root to
> scrape configs out of an rss feed. Can you even provide a signed
> payload that way? Seems to me you are just re-inventing the wheel
> here. Just pull down a package and install it.  Advertising "package
> links" via rss feeds is a good idea... but encoding the actual configs
> into an rss feed is not a good way to do this.  At the end of the
> day.. you are installing config files that really should be managed by
> the rpm system just like what the fedora-release package does right
> now in Core....which means installing updates via a package. We do it
> for fedora-release, we should encourage 3rd parties to use the same
> mechanism. rpm -V is a good thing.. lets not invent something that
> shortcircuits the ability to verify that the configs you have are
> really the configs you are expected to have.

Sure, that makes sense.  I was just looking for something that was
better than "type it in by hand".  A feed would be moderately better at
this.  But, yeah, it sucks for security.  I didn't think the idea
through for all implications.

> > something, they wouldn't have to roll and release a new package.  The
> > GUI could check for repo updates daily, weekly, whatever.
> 
> Yeah we could provide all of files from all packages via an rss feed
> instead of via rpms.
> I'm really not seeing the advantage of providing a new mechanism to
> drop configs into a system. Can't people just advertise links to rpms
> in the rss feed and have the gui scrape for packages to install?

I feel end users might be confused by the idea of installing and
updating a package in order to have the latest information on where
packages are.  But that is probably small minded of me. :)  Otherwise,
your shoot down of my idea is correct -- the security would be horrid
and a reinvention. :)

It might help to make fedora-announce-list available as an RSS feed,
then ask repo packagers to advertise their updates there.

- Karsten
-- 
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint:  2680 DBFD D968 3141 0115    5F1B D992 0E06 AD0E 0C41   
                       Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-marketing-list/attachments/20050722/35d41ca7/attachment.sig>

More information about the Fedora-marketing-list mailing list