On Sun, Aug 17, 2003 at 12:20:23PM +0200, Luca Berra wrote: > well, most of them are, and i believe all should be signed, not > necessarily by mandrake, but at least from the packagers. > After such thing as the gnu ftp server compromise i believe it is only > responsible to sign packages.
I'd love to sign packages, but I refuse to put my GPG key on a machine I don't control. I suppose I could create a new key just for signing packages, but the issue is there's still a key that has my "blessing" on someone elses machine. The alternative is to download each and every package to my local machine, sign and reupload... That's a lot of hassle. I tend to agree that these packages should be handled the same way as main is and signed by a Mandrake key... A separate key could be made for contrib and signing could/should be handled the same way as main. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "What upsets me is not that you lied to me, but that from now on I can no longer believe you." -- Nietzsche
