Bug 694213

Summary: problems with one-click installation and keys of third-party repositories
Product: [openSUSE] openSUSE 11.3 Reporter: Ulrich Windl <Ulrich.Windl>
Component: YaST2Assignee: Ladislav Slezák <lslezak>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P4 - Low CC: dmacvicar
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: openSUSE 11.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 713068    
Bug Blocks:    

Description Ulrich Windl 2011-05-17 08:45:30 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.19) Gecko/20110420 SUSE/2.0.14-0.2.1 SeaMonkey/2.0.14

When you want to have any multimedia experience in openSUSE 11.3, you need third-party repositories (as advised). Unfortunately this adds about as many problems as it solves:
1) Explanations says if you don't import a third-party key, you'll have to confirm packages individually. That's not true: No packages are installed unless you import the keys (because the repository cache isn't even built otherwise)
2) Having configured a repository where the key wasn't imported results in breaking the updateer applet (in GNOME): A warning about the untrusted key pops up, but security updates from the trusted source (i.e. Novell) are not advertised any more. Fortunately "yast online_update" still works with some interactive chat.

Reproducible: Always

Steps to Reproduce:
1. Install some multi-media packages from third party (like: Packman Repository, libdvdcss repository) as advertised, but don't import all keys

Actual Results:  
The software installation experience severely degrades to little fun.

Expected Results:  
Software installation experience should not be affected negatively.

Example:
# LANG= zypper refresh
Retrieving repository 'Packman Repository' metadata [\]

New repository or package signing key received:
Key ID: 45A1D0671ABD1AFB
Key Name: PackMan Project (signing key) <packman@links2linux.de>
Key Fingerprint: F8875B880D518B6B8C530D1345A1D0671ABD1AFB
Key Created: Mon Sep 20 22:37:32 2010
Key Expires: Fri Sep 19 22:37:11 2014
Repository: Packman Repository

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):
Comment 1 Duncan Mac-Vicar 2011-05-17 15:58:19 UTC 
For zypper you should use trust temporarily.

Sadly YaST changed the dialogs in a way that IMO is not right: removed trust now, and changed it to "Import". This has to be fixed. Users not even know what import means. And import is an implementation detail. The real concept is trust: now, forever, or just don't.
Comment 2 Ladislav Slezák 2011-07-20 14:41:43 UTC 
(In reply to comment #1)
> The real concept is trust: now, forever, or just don't.

IIRC there was a (feature?) request to simplify the selection, so there is "import" (forever) and "cancel" (never).

ad 2) this is a different problem (either in gnome applet or in packagekit), please create a separate bug report for it.

Ulrich, the title says "one-click installation", could you provide the URL for reproducing the problem? How can I reproduce it (step-by-step)?
Comment 3 Duncan Mac-Vicar 2011-07-21 09:03:41 UTC 
Even if you keep the two (forever) (never), the wording "Import" is an implementation detail of the "Trust" action. As a non technical user "Trust" something makes sense to me, but "Import" does not.
Comment 4 Ladislav Slezák 2011-08-08 11:30:51 UTC 
The label has been fixed in yast2-2.21.11.

Moreover I have slightly improved the layout and look in ncurses UI.

Resolving as FIXED (the second problem needs to be solved separately, see comment #2).
Comment 5 Michael Andres 2011-08-23 14:11:19 UTC 
Reopening, as the fix seems to introduce bug #713068.
Comment 6 Ladislav Slezák 2011-08-31 08:08:06 UTC 
Bug #713068 has been fixed in yast2-2.21.13, closing this bug.