[pacman-dev] [PATCH] (newgpg) Let pacman specify GnuPG's home directory.
Aaron Griffin
aaronmgriffin at gmail.com
Thu Dec 18 12:01:52 EST 2008
On Thu, Dec 18, 2008 at 10:42 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
> Am Donnerstag 18 Dezember 2008 17:22:25 schrieb Aaron Griffin:
>> I think "Optional" makes sense in some cases. Let's take the community
>> repo, where things tend to be a hodge-podge of ideas and attitudes. I
>> can imagine half the packages being signed, some being unsigned, and
>> some being signed by keys not in the keyring.
>
> Well, if that will be the case we can forget about the whole signing stuff.
> One "unprotected" package is enough to inject your custom code.
Right, but that's not what I'm saying. As a user, I might not care.
Actually, I don't. Here's our cases:
People who care about super-secure packages: Set things to "Always"
and then your system will only install signed packages
Middle of the road people: Set core and extra to "Always" and other
repos to either "Never" or "Optional".
People who don't care: Everything is set to "Never".
See, I fall in the middle case. I'd love to have everything signed,
but I know it won't happen for everything all the time. So, if I set
community to "Always", I'm going to run into a case where I want to
install a package from community that is unsigned. We need a "fuck it,
install it anyway" case.
Now, instead of the "Optional" setting, if there was a
--skip-signature flag that I could use, I would also be sated. Either
way, I'd just like to see a case where I can force it to skip the
signature check.
More information about the pacman-dev
mailing list