9:14 p.m.
>>>> "David" == David Bush
<david.bush(a)adn.alcatel.com> writes:
David>
David> I've noticed one other minor annoyance. If I select "r", the list
of
David> required packages is built without reqard to whether the packages are
David> up to date or not.
Yup, that's my fault, I'll look at it tonight.
Darryl Okahata writes:
> > No, it will just ask you if you want to continue without verification.
>
> OK, I'll whack together a patch for this.
Are you sure we need a variable to disable the PGP signature verification?
> Whoa. The `package-get-base-filename' needs to be made into
a
> plain filename (no directory, unless it's a relative path), that's
> located via the paths in `package-get-remote'. Right now, we've got
> two places that contains ftp site information, and we should be using
> only one (`package-get-remote'). Why make people change two variables
> when one will suffice? (This does, however, raise the problem where the
> `package-get-base-filename' file could be obtained from a different
> location from the other packages.)
How about if when it is relative it is searched for in that path?
And the default would be relative. I can do this tonight.
9:49 p.m.
New subject: Remaining package issues in latest (pre8) XEmacs
greg(a)alphatech.com wrote:
Are you sure we need a variable to disable the PGP signature
verification?
We don't necessarily need a variable to disable the verification,
but we (at least) need a variable to suppress asking the user if he
really wants to install the package *if* PGP & friends are NOT
available. The default, of course, would be to always ask the user.
I'll whack up a quick patch for this.
>> Whoa. The `package-get-base-filename' needs to be made
into a
>> plain filename (no directory, unless it's a relative path), that's
>> located via the paths in `package-get-remote'. Right now, we've got
>> two places that contains ftp site information, and we should be using
>> only one (`package-get-remote'). Why make people change two variables
>> when one will suffice? (This does, however, raise the problem where the
>> `package-get-base-filename' file could be obtained from a different
>> location from the other packages.)
How about if when it is relative it is searched for in that path?
And the default would be relative. I can do this tonight.
Yes, that'll work (I'll assume that you'll create the patch).
However, note that `package-get-remote' is a list of paths, and not a
single path. Also, package-get-remote can contain both remote (efs) and
local paths.
Furthermore, note that adding the directory in `package-get-dir' to
the beginning of `package-get-remote' creates a local package cache.
When installing packages, this will cause the installer to first look in
the local `package-get-dir' directory, and only fetch the package
remotely if a local copy doesn't exist. (This does assume that
`package-get-remove-copy' is nil, though.)
--
Darryl Okahata
darrylo(a)sr.hp.com
DISCLAIMER: this message is the author's personal opinion and does not
constitute the support, opinion, or policy of Hewlett-Packard, or of the
little green men that have been following him all day.
9:56 p.m.
New subject: Remaining package issues in latest (pre8) XEmacs
>>>> "Darryl" == Darryl Okahata
<darrylo(a)sr.hp.com> writes:
Darryl>
Darryl> greg(a)alphatech.com wrote:
> Are you sure we need a variable to disable the PGP signature
verification?
Darryl>
Darryl> We don't necessarily need a variable to disable the verification,
Darryl> but we (at least) need a variable to suppress asking the user if he
Darryl> really wants to install the package *if* PGP & friends are NOT
Darryl> available. The default, of course, would be to always ask the user.
I'm still not convinced we need this.
How about if the file is (not (file-remote-p file))
I don't ask about it being OK without PGP?
Darryl> I'll whack up a quick patch for this.
Once we agree, I can just do it. I have to hack that
stuff later anyway.
> How about if when it is relative it is searched for in that
path?
> And the default would be relative. I can do this tonight.
Darryl>
Darryl> Yes, that'll work (I'll assume that you'll create the patch).
Darryl> However, note that `package-get-remote' is a list of paths, and not a
Darryl> single path. Also, package-get-remote can contain both remote (efs) and
Darryl> local paths.
Darryl>
Darryl> Furthermore, note that adding the directory in `package-get-dir' to
Darryl> the beginning of `package-get-remote' creates a local package cache.
Darryl> When installing packages, this will cause the installer to first look in
Darryl> the local `package-get-dir' directory, and only fetch the package
Darryl> remotely if a local copy doesn't exist. (This does assume that
Darryl> `package-get-remove-copy' is nil, though.)
OK
3:21 a.m.
New subject: Remaining package issues in latest (pre8) XEmacs
On Fri, 16 Oct 1998 16:56:04 EDT, you said:
How about if the file is (not (file-remote-p file))
I don't ask about it being OK without PGP?
Wrong test. This same whoops has been the cause of many
a reported problem in Java, JavaScript, ActiveX, and other
network-aware creations.
Consider the following:
1) Person manages to stash a package-oid file in your system's
~ftp/incoming directory.
2) Person manages to get you to reference said file somehow.
3) Hey, it's on your system.. it doesn't need to be checked.. Whoops.
I'll dig up all the CERT advisories and Bugtraq postings on this
if anybody cares. ;)
/Valdis
9525
days inactive
9528
days old
3 comments
3 participants
participants (3)
-
Darryl Okahata -
Greg Klanderman -
Valdis Kl=?iso8859-4?Q?=BA?=tnieks