[Mageia-dev] PGP keys and package signing

Maarten Vanraes maarten.vanraes at gmail.com
Mon Jan 31 20:40:00 CET 2011

Op maandag 31 januari 2011 18:01:16 schreef nicolas vigier:
> On Mon, 31 Jan 2011, Christophe Fergeau wrote:
> > 2011/1/31 nicolas vigier <boklm at mars-attacks.org>:
> > > On Sun, 30 Jan 2011, Motoko-chan wrote:
> > >> What if urpmi automatically trusts packages signed with a key signed
> > >> by board@ and prompt on the first install of a package that is signed
> > >> by a different key? The yum tool used by Fedora, RHEL, and CentOS
> > >> works very well by prompting on new keys.
> > > 
> > > For PLF packages, they will now be included on Mageia repository, so
> > > most users should not need to use external repositories. However we
> > > can add an option or prompt to disable this check, or an option to
> > > manually add a new trusted key. As long as it's not automatically
> > > downloaded from the mirror without asking for any confirmation.
> > 
> > You definitely want to let people set up their own local package
> > repositories or to use 3rd party repositories, for example I did it
> > sometimes at Mandriva for some tests, and I want to do it again for
> > internal work/proprietary packages. I'm ok with having rpm/urpmi
> > telling you you're about to install packages with an unknown
> > signature/... as long as you can override it and tell it to let you
> > install the package.
> Yes, we should add an option somewhere to allow this.

isn't it easier if local overrides would also provide a way to add keys that 
can be validated, imo.

I'm writing urpmi-proxy, and and i would like to have a good way to have local 
overrides with their own key signed.

perhaps if a diff key is detected, a certain procedure could be started that 
could ask the user if this key is trusted or not, or refer to somewhere else?

also, thinking on the upgrade path from Mandriva, i'm not sure how...

More information about the Mageia-dev mailing list