On Sun, Jan 30, 2011 at 08:16:36PM -0800, Motoko-chan wrote: > On 01/30/2011 07:16 PM, nicolas vigier wrote: [...] > > - We add the bo...@mageia.org public key inside the urpmi package. > > We change urpmi so that it refuses to use any key which has not been > > signed by bo...@mageia.org. And urpmi should frequently update the > > keys it is using from public keyservers to check that its signature > > from board@ has not been revoked (or that the key self signature has > > not been revoked). > What about third-party repositories, like PLF is to Mandriva? Making > that change would require that each of those repository owners have > their key signed to work with the urpmi framework. This could either > mean the death of urpmi for managing packages, diluting the trust of > the board@ key, or discouraging outside contributions. > Well, not necessarily, third party repos could just provide their keys and describe how users should import it. AFAIK, that’s what’s done on Fedora side with the rpmfusion repo. > What if urpmi automatically trusts packages signed with a key signed > by board@ and prompt on the first install of a package that is > signed by a different key? The yum tool used by Fedora, RHEL, and > CentOS works very well by prompting on new keys. > I’ve never used guis on Fedora, but for me you could as well install the rpm containing the third party keys with yum and the --nogpgcheck switch.
I guess this option should be implemented in urpmi for that to work on our side. Regards, -- Rémy CLOUARD () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
pgpORfxZ0KdIl.pgp
Description: PGP signature