On Tue, Jun 3, 2008 at 1:59 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier:
We have to think about the default interaction. It would be easy to sign all packages as the first step, so excepting signed packages for the first pacman release including GPG support seems fair to me. I think asking confirmation from the user in case packages are not signed, like apt tools do.
First: great work and thanks for starting the gpg-signing in pacman. Imho we should force devs to sign packages by default. Because the whole thing will become useless if only one single package in our repos is not signed.
Keep in mind that this is 1. An Arch decision, not a pacman decision 2. A policy decision, not something that should be enforced by pacman code Enforcing this at the Arch-specific dbscripts level would be OK, but I don't think it is wise to force makepkg/pacman to sign all packages, especially those that are built for local use only. Some people don't have PGP keys so this would be a pain in the ass. -Dan