[Mageia-dev] PGP keys and package signing

Christophe Fergeau cfergeau at gmail.com
Mon Jan 31 17:08:01 CET 2011

2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
> On Sun, 30 Jan 2011, Motoko-chan wrote:
>> What if urpmi automatically trusts packages signed with a key signed by
>> board@ and prompt on the first install of a package that is signed by a
>> different key? The yum tool used by Fedora, RHEL, and CentOS works very
>> well by prompting on new keys.
> For PLF packages, they will now be included on Mageia repository, so
> most users should not need to use external repositories. However we
> can add an option or prompt to disable this check, or an option to
> manually add a new trusted key. As long as it's not automatically
> downloaded from the mirror without asking for any confirmation.

You definitely want to let people set up their own local package
repositories or to use 3rd party repositories, for example I did it
sometimes at Mandriva for some tests, and I want to do it again for
internal work/proprietary packages. I'm ok with having rpm/urpmi
telling you you're about to install packages with an unknown
signature/... as long as you can override it and tell it to let you
install the package.


More information about the Mageia-dev mailing list