[pacman-dev] Signing by default (was: [PATCH] Add Keyring/--keyring option in alpm/pacman)
On Tue, Jun 3, 2008 at 1:59 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier:
We have to think about the default interaction. It would be easy to sign all packages as the first step, so excepting signed packages for the first pacman release including GPG support seems fair to me. I think asking confirmation from the user in case packages are not signed, like apt tools do.
First: great work and thanks for starting the gpg-signing in pacman. Imho we should force devs to sign packages by default. Because the whole thing will become useless if only one single package in our repos is not signed.
Keep in mind that this is 1. An Arch decision, not a pacman decision 2. A policy decision, not something that should be enforced by pacman code Enforcing this at the Arch-specific dbscripts level would be OK, but I don't think it is wise to force makepkg/pacman to sign all packages, especially those that are built for local use only. Some people don't have PGP keys so this would be a pain in the ass. -Dan
Am Dienstag 03 Juni 2008 13:54:48 schrieb Dan McGee:
Keep in mind that this is 1. An Arch decision, not a pacman decision 2. A policy decision, not something that should be enforced by pacman code
Enforcing this at the Arch-specific dbscripts level would be OK, but I don't think it is wise to force makepkg/pacman to sign all packages, especially those that are built for local use only. Some people don't have PGP keys so this would be a pain in the ass.
Of course that's what I meant. This shouldn't be force by pacman or makepkg. And yes, we need to discuss this at arch-dev when that feature is be ready to use. -- archlinux.de
On Tue, Jun 3, 2008 at 11:45 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Dienstag 03 Juni 2008 13:54:48 schrieb Dan McGee:
Keep in mind that this is 1. An Arch decision, not a pacman decision 2. A policy decision, not something that should be enforced by pacman code
Enforcing this at the Arch-specific dbscripts level would be OK, but I don't think it is wise to force makepkg/pacman to sign all packages, especially those that are built for local use only. Some people don't have PGP keys so this would be a pain in the ass.
Of course that's what I meant. This shouldn't be force by pacman or makepkg. And yes, we need to discuss this at arch-dev when that feature is be ready to use.
OK, cool- just wanted to make sure we are on the same page. I'm looking forward to seeing this signing thing actually go forward. It is good to see someone getting involved with pacman on something like this. -Dan
participants (2)
-
Dan McGee
-
Pierre Schmitz