Nie minęło (zbyt) wiele czasu od pojawienia się wersji 4.0 używanego przez wiele dystrybucji managera pakietów, a już ogłaszane jest stworzenie wersji 4.1. Wśród wprowadzonych nowości najciekawsze są: możliwość jednoczesnego dostępu przez kilka rpm’ów do bazy pakietów oraz pakiet rpmdb-redhat. Zainstalowanie tego ostatniego spowoduje, że podczas instalacji nowych pakietów RPM będzie bardziej pomocny przy szukaniu pakietów uzupełniających niespełnione zależności.

  From Wed Sep 18 22:27:31 2002  Date: Wed, 18 Sep 2002 11:48:52 -0400  From: Jeff Johnson   Reply-To:  To:  Subject: rpm-4.1 released      Rpm 4.1 is now available at      The final part of the release (6x, 7x, etc) indicates the version  of Red Hat Linux for which the package has been built. For example,  the i386 packages for Red Hat 6.2 are          rpm-4.1-6x.i386.rpm          rpm-devel-4.1-6x.i386.rpm          rpm-build-4.1-6x.i386.rpm          rpm-python-4.1-6x.i386.rpm          popt-1.7-6x.i386.rpm    This version is also available through anonymous cvs:          cvs -d login          (no password, just carriage return)          cvs -d get rpm          cd rpm          cvs up -r rpm-4_1-release  You will need the versions of libtool, autoconf, and automake identified  in if you wish to build from CVS.    Please report any difficulties, problems, issues, feature requests, whatever at    Here's a brief summary of features that have been added. See the  CHANGES file in the src rpm for the gory details.    1) Header signatures and digests, if available, are verified when (first)     retrieved from the rpm database.    2) The rpm database permits concurrent access. That means that it is now     possible to run rpm in %post scriptlets.       Note: What still remains is to find out whether there are deadlocks     (there are), and whether the deadlocks can be avoided or otherwise     handled gracefully. I'd really like to support (at least read)     concurrent access to the rpm database, but it's gonna take a lot     of careful (i.e. reproducible) testing to achieve that goal. Any     and all help is appreciated. What's very promising is that the     problems are deadlocks, not segfaults, but reproducing deadlocks     is gonna be quite challenging.    3) The rpmdb-redhat package (which contains an "everything" rpm database),     if installed, will be used to provide suggested solutions for unresolved     dependencies. Try installing the rpmdb-redhat package from Raw Hide if     interested.    DSA/RSA signature verification using RFC-2440 OpenPGP V3  packets is now implemented directly in rpm. The signature,  if available, is always verified when reading a package, and failures  are always reported.    Signing is done with gpg/pgp helpers as always, and both a new,  header-only, as well as the Good Old header+payload signature  are generated. In fact, all of Red Hat 7.3 was signed with rpm-4.1,  so both signatures should be present in 7.3 packages.    What's also new is pubkey management using --import. Basically  	rpm --import RPM-GPG-KEY  (or any ascii armored OpenPGP pubkey) will wrap the binary OpenPGP  packet in a header, and install just like any other package.    Here's what you see if you have not yet imported the correct pubkey(s):    bash$ sudo rpm -Uvh popt-1.7-7x.i386.rpm  warning: popt-1.7-7x.i386.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e  ...    Here's what the Red Hat pubkeys look like when imported:  ==========================================================================  bash$ rpm -qa | grep pubkey  gpg-pubkey-0352860f-3c3cb5e4  gpg-pubkey-db42a60e-37ea5438    bash$ rpm -qi gpg-pubkey-db42a60e  Name        : gpg-pubkey                   Relocations: (not relocateable)  Version     : db42a60e                          Vendor: (none)  Release     : 37ea5438                      Build Date: Sat 16 Mar 2002  10:47:53 AM EST  Install date: Sat 16 Mar 2002 10:47:53 AM EST      Build Host: localhost  Group       : Public Keys                   Source RPM: (none)  Size        : 0                                License: pubkey  Summary     : gpg(Red Hat, Inc )  Description :  -----BEGIN PGP PUBLIC KEY BLOCK-----  Version: rpm-4.1 (beecrypt-2.2.0)    mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8HQzcxAZ5  7m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOMGxdwYRGr1Spw8Qyd  LhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNVEDGaWYJcch5z5B1of/41G8kE  AKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjSZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJ  fCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLPlncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7  T6AlZ74VMpjGxxkWU6vV2xsWXCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b  /VGo2Jr8mhLUqoIbE6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcR  MCiBURESPjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg  SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwIDFgIBAheA  AAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sBXmLDmPOEFI75mpTr  KYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05UlMH27qFYzLbT6npXwXYIOtVn  0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+  hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmE  S6UdQujFBE6EANqPhp0coYoIhHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2Jt  B/tW7utpy12wh1J+JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcA  zwADBQf9E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK  ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8BwjyRymX  Qp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE54XFtOd04NMgWI63u  qZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWYFiA6fD10eB+BlIUqIw80Vgjs  BKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wkOZoaEtcubsNMquuLCMWijYhGBBgRAgAG  BQI36lRyAAoJECGRgM3bQqYOhyYAnj7hVDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTk  snI+4O1765F7tA==  =3AHZ  -----END PGP PUBLIC KEY BLOCK-----  ==========================================================================    For the extremely security conscious and the overly curious, I note the  following limitations:    	1) there's no attempt (yet) to verify the signature on the  	pubkey before verifying the package signature.    	2) there's no attempt (yet) to implement any trust model using  	OpenPGP packets. All imported keys in the rpm database are considered  	trusted.    	3) only V3 signatures are implemented ATM.    If that's not to your taste, then you can export the signature from a  package and verify using gpg outside of rpm. For example, here's a  short script that verifies the traditional header+payload signatures of  a package using gpg:    ==========================================================================  #!/bin/sh    for pkg in $*  do      if [ "$pkg" = "" -o ! -e "$pkg" ]; then  	echo "no package supplied" 1>&2  	exit 1      fi        plaintext=`mktemp $0-$$.XXXXXX`      detached=`mktemp $0-$$.XXXXXX`    # --- Extract detached signature      rpm -qp -vv --qf '%{siggpg:armor}' $pkg > $detached    # --- Figger the offset of header+payload in the package      leadsize=96      o=`expr $leadsize + 8`        set `od -j $o -N 8 -t u1 $pkg`      il=`expr 256 * ( 256 * ( 256 * $2 + $3 ) + $4 ) + $5`      dl=`expr 256 * ( 256 * ( 256 * $6 + $7 ) + $8 ) + $9`        sigsize=`expr 8 + 16 * $il + $dl`      o=`expr $o + $sigsize + ( 8 - ( $sigsize % 8 ) ) % 8`    # --- Extract header+payload      dd if=$pkg ibs=$o skip=1 2>/dev/null > $plaintext    # --- Verify DSA signature using gpg      gpg --batch -vv --verify $detached $plaintext    # --- Clean up      rm -f $detached $plaintext  done  ==========================================================================    Enjoy    73 de Jeff    --   Jeff Johnson	ARS N3NPQ (  Chapel Hill, NC        _______________________________________________  Rpm-list mailing list    

Archiwalny news dodany przez użytkownika: honey.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Oznaczone jako → 
Share →