- The basic concept is not without merit but what was implemented here
has been stuck in experimental state in middle of two sorta conflicting
goals for four years now, and world has moved onward in the meanwhile.
The sepolicy part is better handled in the new selinux plugin, and other
action business belongs to packages (in the form of some trigger-like
scripts or such) rather than rpm plugins.
- Deleted here, but the sepolicy plugin functionality still needs
merging into the new selinux plugin...
- RPMTAG_COLLECTIONS left in place but tagged unimplemented as per policy
to never actually remove tags
* Init then translate all strings
* Add vi to LINGUAS
Signed-off-by: Trần Ngọc Quân <vnwildman@gmail.com>
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- This stuff doesn't belong in rpmfi, rpmte, psm or anywhere else either.
Invent a new dark hole to shove it into...
- No functional changes as such, just shuffling things around.
- Add popt exec aliases to rpmdb for backwards compatibility
- Change test-suite to use 'rpmdb --initdb' instead of 'rpm --initdb'
as popt exec aliases with absolute paths dont play very well
with the test-suite, duh...
- rpmdb maintenance only requires privileges on the rpmdb directory,
not elsewhere on the system. Splitting to separate tool allows
finer grained SELinux policies and makes adding new db-specific
switches saner.
- Keyring operations (adding/viewing/removing keys and verifying
packages against a given keyring) are different from main rpm operations
in that they only need access to the rpm keyring, and no write access
anywhere else in the system. At the moment the rpm keyring happens
to be the rpmdb but that's just an implementation detail that is
likely to change sooner or later. Besides paving way to separating
the rpm keyring from the rpmdb, splitting this to a small, separate
utility allows limiting its required access from SELinux POV etc.
- For now, this only implements what's already in rpm: --import and
--checksig, remaining operations like listing and manipulating
keyring contents is left as an exercise for another day...
- Signing (and deleting) are different from everything else in rpm
in that it needs very little of rpm's facilities. For example access
to the rpmdb is not needed at all. Splitting this to a separate,
small utility allows various possibilities, like severely limiting
its access from SELinux POV, control of signature generation with
cli arguments (the main rpm executable is already overcrowded with
options). It's also the first step to allow reasonably splitting
rpm signing to a separate package; not everybody needs to sign
packages, yet signing support needs to drag in GPG and whatnot.
- Reimplement / refactor various librpm signature generation helpers
into somewhat saner internal versions.
Piotr Drąg