On 19 Dec 2002, Steve Fox wrote: > On Wed, 2002-12-18 at 05:05, Sascha Noyes wrote: > > > I do however also find the errors by rpmdrake > > _very_ annoying. Could Mandrake perhaps include a seperate key for signing > > contrib apps, and give a message (but only once) that the signing only proves > > that the package was built by Mandrake, nothing else. > > While I know the process is not completely automated, you are right that > they are not examining the entire source code. > > Your suggestion for a separate contribs key is a very good one though > and I would certainly like to see it done to avoid the urpmi warnings. >
The problem isn't *just* with contrib, it's with any urpmi source. There was a proposal around (Ben Reser and Vince, possibly on security-discuss) about associating a key (or multiple keys?) to a urpmi source, and have urpmi.update (and the GUI alternative) check to ensure that any keys it has have not expired, and have urpmi (and it's gui alternative) offer to import missing keys (with the correct messages on the security implications, showing key fingerprints etc). This would allow Club, rpmhelp, Texstar, PLF, samba FTP and many other sites to carry RPMs, and have the users more easily do the right thing (which is not to be in the habit of installing unsigned packages, but to check them). Regards, Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
