On Tue, Oct 29, 2002 at 08:47:26AM -0600, Brad Felmey wrote: > How about putting your signing keys into a package that adds them to > root's pubring?
However this does bring up an interesting idea. Having urpmi/rpmdrake know where to find the GPG keys for various sources. I would propose that a file name is made as a standard for the key for a source that is placed in the same path as the hdlist/synthesis file. That file would contain a name or names of packages that contained the sites GPG keys. On the first install from that source urpmi/rpmdrake would prompt the user if they wished to install this key. The file would then be downloaded and installed prior to any other package installations. In the future if the key would need upgrading the version/release could be incremented causing urpmi/rpmdrake to update it. urpmi/rpmdrake would store the package name(s) of the keys. So it would always cause that package to be updated in a separate rpm call prior to updating the rest of the packages. To ensure the keys and there is a trust chain it's possible Mandrake could sign the packages for these people. I don't think there are a lot of sites using the urpmi system. But perhaps Mandrake signing the packages would be a bad idea for trust and work load issues. Just a thought. What do you guys think? -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "If you're not making any mistakes, you're flat out not trying hard enough." - Jim Nichols
