On Tue, Jun 3, 2008 at 1:59 AM, Pierre Schmitz <[EMAIL PROTECTED]> wrote: > Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier: >> We have to think about the default interaction. >> It would be easy to sign all packages as the first step, so excepting >> signed packages for the first pacman release including GPG support seems >> fair to me. I think asking confirmation from the user in case packages >> are not signed, like apt tools do. > > First: great work and thanks for starting the gpg-signing in pacman. Imho we > should force devs to sign packages by default. Because the whole thing will > become useless if only one single package in our repos is not signed.
Keep in mind that this is 1. An Arch decision, not a pacman decision 2. A policy decision, not something that should be enforced by pacman code Enforcing this at the Arch-specific dbscripts level would be OK, but I don't think it is wise to force makepkg/pacman to sign all packages, especially those that are built for local use only. Some people don't have PGP keys so this would be a pain in the ass. -Dan _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
