[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Saul Wold
sgw at linux.intel.com
Mon Jan 30 23:56:10 UTC 2012
On 01/30/2012 03:29 PM, Steve Sakoman wrote:
> On Mon, Jan 30, 2012 at 2:13 PM, Saul Wold<sgw at linux.intel.com> wrote:
>
>> This would imply that we need to have a GPLv2 Version of the gnupg
>> recipe also, Steve if you had to look at or handle the newer GPLv3 gnupg
>> code itself, you may not be able to write the GPLv2 recipe or create patches
>> for it, can you arrange for someone to create that patch?
>
> OE-classic has a recipe for gnupg-1.4.10, so perhaps the safest
> approach would be to import that recipe since I *have* browsed the
> gnupg v2 code.
>
You mean v3 code no doubt.
> I know from experience that signed repositories won't work for that
> version as-is. Zypper explicitly uses gpg2.
>
Any idea how much work there is there? Do you know of anyone that can
help out with this?
> It *may* be that gpg and gpg2 are compatible enough that you could get
> away with a symlink and a v1.x version of gnupg. Or perhaps one could
> patch zypper to try gpg if gpg2 isn't present. Thoughts?
>
I think it would be clearer if we patch zypper for gpg instead of hiding
behind a symlink. Other tools that may want to use gpg2 might get the
wrong thing.
Another possibility would be disable signed repos for non-GPLv3, but I
am not wild about that idea since it's highly likely that a commercial
vendor would want to provide signed repos in a non-GPLv3 device for
security and sanity.
Sau!
> Steve
>
More information about the Openembedded-core
mailing list