[packagekit] Signed packages again again

David Zeuthen david at fubar.dk
Thu Nov 15 15:19:02 PST 2007

On Thu, 2007-11-15 at 18:17 -0500, Matthias Clasen wrote:
> On Nov 15, 2007 6:08 PM, David Zeuthen <david at fubar.dk> wrote:
> >
> > > Also, how do we define trusted?
> >
> > Didn't I define that with this
> >
> >  where "untrusted" means that the package isn't signed by a key that the
> >  user has decided to trust. Specifically for rpm this means that the
> >  user hasn't done 'rpm --import <key>' for the key the package is signed
> >  with. Specifically if the rpm isn't signed, this action will be
> >  needed.
> Hmm.
> In the use-cases PK is designed for, all updates should be "trusted", no ?

This is a bit like taking the high road. In the wild (e.g. real world)
lots of people will run into packages that are not signed or signed with
a key that isn't "trusted". 

PK can of course just say "not our problem, we only want to install
trusted packages, get the repo to sign the packages and make sure the
GPG keys are installed (= trusted)" but then PK is just not going to be
useful to a lot of people.... Just look at how often stable Fedora
updates repos ship unsigned packages... 


More information about the PackageKit mailing list