[lsb-discuss] There is no good package management for LSB packages
tytso at mit.edu
Mon Feb 11 17:05:16 PST 2008
On Fri, Feb 08, 2008 at 12:03:04PM +0100, Till Kamppeter wrote:
> During the implementation of distribution-independent printer/scanner
> driver packages automatically downloadable from the OpenPrinting web site
> we have discovered that some important features are missing:
> - Handling of electronic signatures to assure that the packages are really
> the original ones
We could certainly look into uplifting the RPM specification to
include the digital signatures which are used by most of the RPM-based
distro's. However, this wouldn't mean that distributions would
configure an LSB-managed signing key as being automatically trusted by
customers. We could make the key available and tell customers that
they should configure their systems, but obviously not everyone would
be willing to do this. Also if OpenPrinting wanted to do this for
printer driver packages, we would need to think very carefully about
how to protect the signing key since if the key were ever get stolen
and then gets used by bad guys to install trojan horse software, we
would be opening ourselves up to a pretty large liability issue.
Another potential issue is I'm not sure whether alien supports
validating the digital signature (I suspect it just ignores it).
> - Handling of automatic updates, especially to fix security problems, doing
> automated updates every 24 hours
> The distributions provide these features by their package managers, like
> YaST, yum, urpmi, apt-get, ... Unfortunately, every distro has its own tool
> here. We will need some mechanism to do this in a distribution-independent
> way, for LSB packages.
> Perhaps this is also a reason why the LSB did not get very well adopted
I'm not sure this is something that most ISV's are considering as the
highest priority issue for why they aren't adopting the LSB, but we
can certainly ask them.
More information about the lsb-discuss