[Triumf-linux-managers] Effects of the yum.conf option "obsoletes=1"

[Konstantin Olchanski]

On Wed, Aug 16, 2006 at 10:36:54AM -0700, Konstantin Olchanski wrote:
> On Tue, Aug 15, 2006 at 12:20:10PM -0700, Kel Raywood wrote:
> > ... you should have "obsoletes=1" in the [main] section
> 
> I confirm that adding "obsoletes=1" to yum.conf fixes
> the seamonkey stuff-up.

Adding "obsoletes=1" to yum.conf has this effect:

1) yum-conf becomes automatically upgraded to
   version "yum-conf-4x-..." overwriting
   any custom repository files (those using
   the triumf mirror revert back to using
   ftp.scientificlinux.org *without* gpg signature
   checking).
2) the new repository files point to SL version "4x"
   which today happens to be a symlink pointing to "43".
3) when run next time, yum upgrades all rpms from their
   current version (4.0, 4.1, 4.2) to version "SL4.3".
4) I assume that when SL4.4 comes out, the "4x" symlink
   will move from "43" to "44" and all machines will
   self-update to SL4.4.

All of this is reasonable and maybe even good, except
for reverting the yum repository files away from
the triumf mirror and except for disabling
the gpg signature checking.

I remind all that gpg signatures is the only line of defence
against bogus and compromised mirrors. At any time, without
notice, the ftp.scientificlinux.org DNS name can be hijacked
and become pointed to a site with doctored rpms, instantly
compromising all machines that blindly install anything without
checking for valid SL signatures.

SL has been very nice and stable for us for a very long time
and I am not amused by all these new gyrations, instability
and unexpected/unplanned self-upgrading.

I also note that the default CERN installation of SLC
is to use the "scl4X" repositories so I assume all
CERN machines also self-upgrade to the latest release of SLC.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada