On Thu, Apr 21, 2011 at 1:35 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:
Packages added from local files are not checked currently. These patches also introduce changes in the handling of PM_PGP_VERIFY_UNKNOWN that are not really convincing. We could skip these changes and just apply the other patches, however we should probably give some thoughts about that.
Making the check level into an argument of the check function could also be an option.
So I'm going to soon send a set of patches that address and clash with a lot of what this patch set is doing. Rémy, I don't want to discourage you by any means with not applying these, as I drew ideas and inspiration from your patches, but I saw a fundamental problem with doing this at all in sync.c- it frankly just doesn't belong there. Instead, the main push of my patches is to push this down into the load function itself, which allows both frontend and backend package loads to have the benefit of signature checks. I did already grab your UNKNOWN patches, so thanks for those. -Dan