[Mageia-dev] PGP keys and package signing

Remy CLOUARD shikamaru at mandriva.org
Mon Jan 31 12:02:33 CET 2011


On Sun, Jan 30, 2011 at 08:16:36PM -0800, Motoko-chan wrote:
> On 01/30/2011 07:16 PM, nicolas vigier wrote:
[...]
> >  - We add the board at mageia.org public key inside the urpmi package.
> >    We change urpmi so that it refuses to use any key which has not been
> >    signed by board at mageia.org. And urpmi should frequently update the
> >    keys it is using from public keyservers to check that its signature
> >    from board@ has not been revoked (or that the key self signature has
> >    not been revoked).
> What about third-party repositories, like PLF is to Mandriva? Making
> that change would require that each of those repository owners have
> their key signed to work with the urpmi framework. This could either
> mean the death of urpmi for managing packages, diluting the trust of
> the board@ key, or discouraging outside contributions.
> 
Well, not necessarily, third party repos could just provide their keys
and describe how users should import it. AFAIK, that’s what’s done on
Fedora side with the rpmfusion repo.
> What if urpmi automatically trusts packages signed with a key signed
> by board@ and prompt on the first install of a package that is
> signed by a different key? The yum tool used by Fedora, RHEL, and
> CentOS works very well by prompting on new keys.
> 
I’ve never used guis on Fedora, but for me you could as well install the
rpm containing the third party keys with yum and the --nogpgcheck
switch.

I guess this option should be implemented in urpmi for that to work on
our side.

Regards,
-- 
Rémy CLOUARD
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: </pipermail/mageia-dev/attachments/20110131/b3308c6b/attachment.asc>


More information about the Mageia-dev mailing list