[Mageia-dev] PGP keys and package signing
boklm at mars-attacks.org
Mon Jan 31 18:01:16 CET 2011
On Mon, 31 Jan 2011, Christophe Fergeau wrote:
> 2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
> > On Sun, 30 Jan 2011, Motoko-chan wrote:
> >> What if urpmi automatically trusts packages signed with a key signed by
> >> board@ and prompt on the first install of a package that is signed by a
> >> different key? The yum tool used by Fedora, RHEL, and CentOS works very
> >> well by prompting on new keys.
> > For PLF packages, they will now be included on Mageia repository, so
> > most users should not need to use external repositories. However we
> > can add an option or prompt to disable this check, or an option to
> > manually add a new trusted key. As long as it's not automatically
> > downloaded from the mirror without asking for any confirmation.
> You definitely want to let people set up their own local package
> repositories or to use 3rd party repositories, for example I did it
> sometimes at Mandriva for some tests, and I want to do it again for
> internal work/proprietary packages. I'm ok with having rpm/urpmi
> telling you you're about to install packages with an unknown
> signature/... as long as you can override it and tell it to let you
> install the package.
Yes, we should add an option somewhere to allow this.
More information about the Mageia-dev