On 03/02/10 19:57, Florian Friesdorf wrote:
On Wed, Feb 03, 2010 at 07:55:10PM +0100, Laszlo Papp wrote:
On Wed, Feb 3, 2010 at 7:42 PM, Florian Friesdorf <flo@chaoflow.net> wrote:
On Wed, Feb 03, 2010 at 09:32:12PM +0300, Lex Rivera wrote:
On 03/02/10 19:10, Florian Friesdorf wrote:
What about a peer trust network? Publishing packages on the AUR would involve giving an pgp public key. People sign their PKGBUILDs using their private key. People can define trust relationships towards other people ("I trust this person to write good PKGBUILDs" and "I trust this person's trust in other's"). Being a TU would mean to be signed by the TU-Authority (or whatever) and trusting the TU authority's trust would mean you can install packages that are created by TU's.
Peer trust network? Isn't that too hard for ordinary user? Download key, import it, set trust level... If there will be some list of "Checked Users" this will be easier and friendlier. But peer trust net is nice idea anyway.
yaourt could ship with the TU-Auth's public key and it's default configuration could be to trust packages by people that are signed by the TU-Auth.
key management should further be integrated into yoaurt (or the like)
Yaourt is not supported officially, and it's buggy and abandoned program at this momment, and it has got a very bad design concept to parse URLs directly, so much people wouldn't like to use it ...
Well, what are people using to install packages from AUR?
-- Florian Friesdorf <flo@chaoflow.net> GPG FPR: EA5C F2B4 FBBB BA65 3DCD E8ED 82A1 6522 4A1F 4367 Jabber/XMPP: flo@chaoflow.net OTR FPR: 9E191746 213321FE C896B37D 24B118C0 31785700 IRC: chaoflow on freenode,ircnet,blafasel,OFTC Yaourt is popular, but there is other good alternatives to it. I like yaourt interface, but... It's extremely slow. And not developed anymore. Compare it to packer for example. Anyway, gpg support at least for binary packages can be great, but i haven't seen any pacman gpg patches or even preluminary support.