+1 to that. Reviewing yum to learn any lessons for our repository work is also a good idea I think.
- Brett On Thu, 13 Jan 2005 15:47:35 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote: > It should be the user's discretion, but it also might be a good thing to > default to the most secure setting. Similar to the new version of yum, it > won't connect to yum repositories unless you import keys from the > repositories, or turn off key verification - secure by default. > > Tim > > -----Original Message----- > From: Brett Porter [mailto:[EMAIL PROTECTED] > Sent: Thu 1/13/2005 2:01 PM > To: [EMAIL PROTECTED] > Subject: Re: repo security > > > Would we be talking about "gpg --armor --output > > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is > > there some other mechanism we would need to go through? > > This is what I'd intended to do in Wagon using Bouncycastle. And as > Steve mentions, it can be at the users discretion: skip it, check it > from the same location, check it, getting keys from a specified > trusted location, only trust if the key is already in my keychain are > probably the levels. > > - Brett > > >
