RPM roadmapping

Panu Matilainen pmatilai at redhat.com
Tue Aug 7 12:21:54 UTC 2007


On Fri, 27 Jul 2007, Jeff Spaleta wrote:

> On 7/27/07, Leszek Matok <Lam at lam.pl> wrote:
>> - Tell if a given package was installed by hand (rpm -i/U/F) or (if installed
>> by yum/apt/whatever) which repository did it come from. Some people suggested
>> to use "Signature:" for that, but that only tells, which repo this pakage was
>> first published on, and I want to know, where did I get it from in reality.
>
> Like the actual url it was pulled from, regardless of which mirror in
> a dynamicly generated mirrorlist you used in that run?  A
> repository-wide signature/cert referenced in signed repository
> metadata from the repository might be better in some ways than the
> full url to a specific mirror.

Repository signatures would have their uses, but that doesn't really work 
on rpm level. You could have downloaded manually and rpm -Uvh'd into the 
system, there's no trace of the package origins anywhere then. Except the 
package signature which is already recorded in rpmdb.

In other words, I think the package signature is the best indicator of 
package origins you can realistically get.

Making the already existing information more easily accessible and usable 
is another topic :)

 	- Panu -





More information about the fedora-devel-list mailing list