[packagekit] Res: One click install support in PackageKit

Dan Kegel dank at kegel.com
Sun Mar 29 08:22:34 PDT 2009

On Sun, Mar 29, 2009 at 8:14 AM, Debayan Banerjee <debayanin at gmail.com> wrote:
> I read up on the links posted on this thread. I understand that that
> the main problems are:
> 1) There is no way to trust third party software repositories.
> 2) Distributions like Fedora and Debian will never include non-free
> repository information such as GPG keys for non-free repositories.

Does it follow that Fedora and Debian will never
do anything to make it easier to install non-free software?

> My view is that we do not really need to follow a policy where we
> trust a repository based on its GPG key etc. What we are concerned
> with is the package at the end of the day, and if the package itself
> is not compromised in any way then we can always intall it. The
> question now is, how do we know if a package is compromised or not.
> Lets say Fedora sets up a server at the url
> https://checksums.fedoraproject.org/thirdparty. This server shall
> contain a listing of all the MD5SUMS/SHA1SUMS of all third party
> packages that are popular.

But I don't think they would do that for non-free software.
So we're back at the original problem, aren't we?
- Dan

More information about the PackageKit mailing list