[jhbuild] Fix security warning when using sysdeps --install

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [jhbuild] Fix security warning when using sysdeps --install
Date: Fri, 2 Jan 2015 16:42:44 +0000 (UTC)

commit 842e685219b992c2a64d120fc8b468a7e52ba75c
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Fri Dec 19 11:05:25 2014 -0600

    Fix security warning when using sysdeps --install
    
    Attempting to run 'jhbuild sysdeps --install' on Fedora 21:
    
    "This software is not from a trusted source. Do not install this
    software unless you are sure it is safe to do so."
    
    The security warning is due to misuse of PackageKit's API, which changed
    a couple of years ago. Thanks to Richard Hughes for help debugging.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=741774

 jhbuild/utils/systeminstall.py |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)
---
diff --git a/jhbuild/utils/systeminstall.py b/jhbuild/utils/systeminstall.py
index b54fc7d..d77a0e2 100644
--- a/jhbuild/utils/systeminstall.py
+++ b/jhbuild/utils/systeminstall.py
@@ -158,6 +158,7 @@ PK_PROVIDES_ANY = 1
 PK_FILTER_ENUM_NOT_INSTALLED = 1 << 3
 PK_FILTER_ENUM_NEWEST = 1 << 16
 PK_FILTER_ENUM_ARCH = 1 << 18
+PK_TRANSACTION_FLAG_ENUM_ONLY_TRUSTED = 1 << 1
 
 # NOTE: This class is unfinished
 class PKSystemInstall(SystemInstall):
@@ -255,7 +256,17 @@ class PKSystemInstall(SystemInstall):
         logging.info(_('Installing:\n  %s' % ('\n  '.join(pk_package_ids, ))))
 
         txn_tx, txn = self._get_new_transaction()
-        txn_tx.InstallPackages(True, pk_package_ids)
+        if self._pk_major == 1 or (self._pk_major == 0 and self._pk_minor >= 8):
+            # Using OnlyTrusted might break package installation on rawhide,
+            # where packages are unsigned, but this prevents users of normal
+            # distros with signed packages from seeing security warnings. It
+            # would be better to simulate the transaction first to decide
+            # whether OnlyTrusted will work before using it. See
+            # http://www.freedesktop.org/software/PackageKit/gtk-doc/introduction-ideas-transactions.html
+            txn_tx.InstallPackages(PK_TRANSACTION_FLAG_ENUM_ONLY_TRUSTED, pk_package_ids)
+        else:
+            # PackageKit 0.7.x and older
+            txn_tx.InstallPackages(True, pk_package_ids)
         self._loop.run()
 
         logging.info(_('Complete!'))

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]