On Sun, Nov 30, 2008 at 06:56, solsTiCe d'Hiver <solstice.dhiver@gmail.com> wrote:
i like the original idea of pierre. i had the same one ;-)
because it's easier to implement and could be done quite quickly. it's quite time to shift to something a little more secure, even if it's not the *most* secure one. as soon the db is signed, we have a minimum security (not total i know, i read about the exploit in this thread)
package signing could be a second step as it will take even longer to complete (more work to be done in pacman and more things to agree upon)
in fact, i suggest a two steps approach.
I agree. We can talk until we're blue in the face about the "ideal" way to do it, but it doesn't mean a thing if it's not implemented. Let's get *something* done, even if it's not ideal.