On Wed, Feb 03, 2010 at 09:32:12PM +0300, Lex Rivera wrote:
On 03/02/10 19:10, Florian Friesdorf wrote:
What about a peer trust network? Publishing packages on the AUR would involve giving an pgp public key. People sign their PKGBUILDs using their private key. People can define trust relationships towards other people ("I trust this person to write good PKGBUILDs" and "I trust this person's trust in other's"). Being a TU would mean to be signed by the TU-Authority (or whatever) and trusting the TU authority's trust would mean you can install packages that are created by TU's.
Peer trust network? Isn't that too hard for ordinary user? Download key, import it, set trust level... If there will be some list of "Checked Users" this will be easier and friendlier. But peer trust net is nice idea anyway.
yaourt could ship with the TU-Auth's public key and it's default
configuration could be to trust packages by people that are signed by
the TU-Auth.
key management should further be integrated into yoaurt (or the like)
--
Florian Friesdorf