[pacman-dev] [PATCH] [RFC] Add UpgradeSigLevel configuration option
Dieter Plaetinck
dieter at plaetinck.be
Thu Dec 22 06:32:01 EST 2011
On Thu, 22 Dec 2011 11:53:38 +0100
Thomas Bächler <thomas at archlinux.org> wrote:
> Am 22.12.2011 11:26, schrieb Allan McRae:
> > Use to override the global SigLevel value for upgrade operations.
> >
> > e.g. when installing a package without a signature:
> >
> > Fails to install:
> > SigLevel = Optional
> > UpgradeSigLevel = Required
> >
> > Fails to install:
> > SigLevel = Required
> >
> > Installs:
> > SigLevel = Required
> > UpgradeSigLevel = Optional
> >
> > Installs:
> > SigLevel = Optional
>
> I'll repeat some things that I said in the bug report - I have no idea
> if this is feasible and should be done now:
>
> I would love to distinguish between -U <local file> and -U <URL>. The
> rationale is that I want automatically the highest security when I
> download something (meaning: 'Required' for -U <URL>) but more
> convenience when installing a local package that I build from AUR and
> thus never signed (meaning: 'Optional' for -U <local file>).
just some thoughts..
if you built a package yourself, you can also just sign it and verify the signature when installing.
though this is a bit more computationally intensive...
also, what if somebody sends you a package by mail or through some other medium than http?
then it will also be the '-U <local file>' case but very different from the other '-U <local file>' case where you built yourself.
Dieter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20111222/4d6f8995/attachment.asc>
More information about the pacman-dev
mailing list