[packagekit] Signed packages again again
David Zeuthen
david at fubar.dk
Thu Nov 15 15:16:40 PST 2007
On Thu, 2007-11-15 at 23:15 +0000, Richard Hughes wrote:
> On Thu, 2007-11-15 at 18:02 -0500, David Zeuthen wrote:
> > The downside here is that in the worst case the user will see two auth
> > dialogs; one for .allow-unchecked-signature and one for the action he's
> > really trying to do. The alternative would be
>
> Not cool. Two auth dialogs would get me shot by walters.
>
> > which is a bit verbose... Thoughts?
>
> My point was more how do we decide which package sigs are trusted? How
> many repos don't have a foo-release.rpm file that installs the gpg
> key[1]?
None, but I'm trying to explain to the powers that be that such a thing
should be encouraged. Just read the bug report; it's basically backwards
_not_ to do it.
David
More information about the PackageKit
mailing list