On Thu, 2007-11-15 at 18:17 -0500, Matthias Clasen wrote: > In the use-cases PK is designed for, all updates should be "trusted", no ? This is what I'm thinking also. If the user has installed a bad repo file then I think we've lost already. Richard.