[packagekit] Having a GPG auth dialog that doesn't suck

James Westby jw+debian at jameswestby.net
Tue May 27 09:22:00 PDT 2008


On Tue, 2008-05-20 at 16:59 +0100, Richard Hughes wrote:
> At the moment when packages are unsigned we present the user with a very
> ugly UI and ask them to verify manually if the hex keys presented
> actually match up with a random webpage somewhere. Nobody ever does, and
> people just click "Okay" to get the package installed.
> 
> Ideally, we would just get all distros to pre-import all keys for repos,
> and then users wouldn't have to worry about the auth at all - unless an
> unsigned or untrusted packages somehow made it in to the repo in which
> case we can show a scary dialog. 

I think this is a good idea.

> 
> Politically and legally this is pretty impossible, for instance, fedora
> can't even mention livna let alone import a key else lots of lawyers get
> very upset.
> 
> So, we have to say to the user "This key is already known - it's
> probably okay to import. [more details] <Import>" and for unknown keys a
> much scarier warning. We're not saying "use this" -- we're saying "we
> know about this and trust the localised description".
> 
> So, we can't trust much in the key apart from it's ID and fingerprint -
> anything else can be spoofed. So we need a trusted path to lookup if a
> key is "known" and also a localised description to tell the user
> something useful.
> 

Are the redhat lawyers happy with saying "Someone else has validated 
that this gpg key is used by the repository at this URL"?

On a slightly different point, this would 



More information about the PackageKit mailing list