On 20/02/11 10:36, Daniel Mendler wrote:
I think this should also go to a much more technical level. We have the
gpg tree in Allan's repository. As I said I tested it with a repository
and got it to work. So can you tell me what do you need till this can be
merged into master?
1. Design a strategy to manage the keyrings and adapt the tools to it
2. Patches for the issues on the Package Signining Wiki Page
3. Patches to db-scripts to manage the database with gpg signatures
Some of the issues on the wiki page are really minor (e.g. rename
option). There are more complex ones (replacing verified db with
unverified one, reworking the signature checking code when using pacman
-U). And there are already patches for some of the issues.
So what do you say about the code quality of the branch? It it
acceptable at this point or is there improvement needed? Are there other
blockers preventing you from merging it as soon as the points above are
solved?
As far as I am concerned, the major points on the TODO list that need
patches are the first five for pacman:
TODO: fix (and refactor) reading signatures for packages installed with -U
TODO: have a way to force a signature check with -U (i.e. abort if no
signature is found)
TODO: only replace old database when signature is valid
TODO: output when downloading signature file - name when downloaded
TODO: output when downloading signature file - "error" when not available
The other issues are all fairly minor (and the pacman-key/makepkg ones
mostly have patches that just need revised already).
So if patches are submitted for those five points, and any criticism
followed up, I will commit to then spending the time doing the needed
tidying/rebasing of the code on my gpg branch to have it suitable for
merging.
Allan
