[Mageia-dev] PGP keys and package signing

Mon Jan 31 12:02:33 CET 2011

On Sun, Jan 30, 2011 at 08:16:36PM -0800, Motoko-chan wrote:
+> On 01/30/2011 07:16 PM, nicolas vigier wrote:
+[...]
+> >  - We add the board at mageia.org public key inside the urpmi package.
+> >    We change urpmi so that it refuses to use any key which has not been
+> >    signed by board at mageia.org. And urpmi should frequently update the
+> >    keys it is using from public keyservers to check that its signature
+> >    from board@ has not been revoked (or that the key self signature has
+> >    not been revoked).
+> What about third-party repositories, like PLF is to Mandriva? Making
+> that change would require that each of those repository owners have
+> their key signed to work with the urpmi framework. This could either
+> mean the death of urpmi for managing packages, diluting the trust of
+> the board@ key, or discouraging outside contributions.
+> 
+Well, not necessarily, third party repos could just provide their keys
+and describe how users should import it. AFAIK, that’s what’s done on
+Fedora side with the rpmfusion repo.
+> What if urpmi automatically trusts packages signed with a key signed
+> by board@ and prompt on the first install of a package that is
+> signed by a different key? The yum tool used by Fedora, RHEL, and
+> CentOS works very well by prompting on new keys.
+> 
+I’ve never used guis on Fedora, but for me you could as well install the
+rpm containing the third party keys with yum and the --nogpgcheck
+switch.
+
+I guess this option should be implemented in urpmi for that to work on
+our side.
+
+Regards,
+-- 
+Rémy CLOUARD
+() ascii ribbon campaign - against html e-mail
+/\ www.asciiribbon.org - against proprietary attachments
+-------------- next part --------------
+A non-text attachment was scrubbed...
+Name: not available
+Type: application/pgp-signature
+Size: 230 bytes
+Desc: not available
+URL: </pipermail/mageia-dev/attachments/20110131/b3308c6b/attachment.asc>
+