[Mageia-dev] PGP keys and package signing

Mon Jan 31 20:40:00 CET 2011

Op maandag 31 januari 2011 18:01:16 schreef nicolas vigier:
+> On Mon, 31 Jan 2011, Christophe Fergeau wrote:
+> > 2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
+> > > On Sun, 30 Jan 2011, Motoko-chan wrote:
+> > >> What if urpmi automatically trusts packages signed with a key signed
+> > >> by board@ and prompt on the first install of a package that is signed
+> > >> by a different key? The yum tool used by Fedora, RHEL, and CentOS
+> > >> works very well by prompting on new keys.
+> > > 
+> > > For PLF packages, they will now be included on Mageia repository, so
+> > > most users should not need to use external repositories. However we
+> > > can add an option or prompt to disable this check, or an option to
+> > > manually add a new trusted key. As long as it's not automatically
+> > > downloaded from the mirror without asking for any confirmation.
+> > 
+> > You definitely want to let people set up their own local package
+> > repositories or to use 3rd party repositories, for example I did it
+> > sometimes at Mandriva for some tests, and I want to do it again for
+> > internal work/proprietary packages. I'm ok with having rpm/urpmi
+> > telling you you're about to install packages with an unknown
+> > signature/... as long as you can override it and tell it to let you
+> > install the package.
+> 
+> Yes, we should add an option somewhere to allow this.
+
+isn't it easier if local overrides would also provide a way to add keys that 
+can be validated, imo.
+
+I'm writing urpmi-proxy, and and i would like to have a good way to have local 
+overrides with their own key signed.
+
+perhaps if a diff key is detected, a certain procedure could be started that 
+could ask the user if this key is trusted or not, or refer to somewhere else?
+
+also, thinking on the upgrade path from Mandriva, i'm not sure how...
+