[Mageia-dev] PGP keys and package signing

Remy CLOUARD shikamaru at mandriva.org
Mon Jan 31 12:02:33 CET 2011

On Sun, Jan 30, 2011 at 08:16:36PM -0800, Motoko-chan wrote:
> On 01/30/2011 07:16 PM, nicolas vigier wrote:
> >  - We add the board at mageia.org public key inside the urpmi package.
> >    We change urpmi so that it refuses to use any key which has not been
> >    signed by board at mageia.org. And urpmi should frequently update the
> >    keys it is using from public keyservers to check that its signature
> >    from board@ has not been revoked (or that the key self signature has
> >    not been revoked).
> What about third-party repositories, like PLF is to Mandriva? Making
> that change would require that each of those repository owners have
> their key signed to work with the urpmi framework. This could either
> mean the death of urpmi for managing packages, diluting the trust of
> the board@ key, or discouraging outside contributions.
Well, not necessarily, third party repos could just provide their keys
and describe how users should import it. AFAIK, that’s what’s done on
Fedora side with the rpmfusion repo.
> What if urpmi automatically trusts packages signed with a key signed
> by board@ and prompt on the first install of a package that is
> signed by a different key? The yum tool used by Fedora, RHEL, and
> CentOS works very well by prompting on new keys.
I’ve never used guis on Fedora, but for me you could as well install the
rpm containing the third party keys with yum and the --nogpgcheck

I guess this option should be implemented in urpmi for that to work on
our side.

() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: </pipermail/mageia-dev/attachments/20110131/b3308c6b/attachment.asc>

More information about the Mageia-dev mailing list