On Tue, 2008-03-04 at 07:44 +0000, Adam D. Barratt wrote: > Is this an option that you'd only want to use when dget is calling > dscverify, or any time that dscverify is called? If the latter then the > functionality already exists (DSCVERIFY_KEYRINGS).
My use-case is downloading packages from mentors.d.n for sponsorship, there I always use dget rather than dscverify. I reported this bug because dget -x wasn't working as it used to because it now calls dscverify, fails and decides not to run dpkg-source. Perhaps what I really want is for dget -x to run dpkg-source -x even if dscverify fails. That way I get to see a warning from dpkg-source if the key isn't in my keyring or the package has been tampered with in transit. Thinking about it more, I'd like -x to do these: * good DD sig: yay, unpack * bad DD sig: big error, option to force unpack * good DM sig: yay, unpack, inform me of DM status * bad DM sig: big error, option to force unpack * good other sig: yay, unpack, inform me of otherness * bad other sig: big, option to force unpack * no sig: yay, unpack, warn about no sig With no -x would just do the same without unpacking. > > Alternatively change dscverify to check ~/.gnupg/pubring.gpg > > This is already possible (see above) but I'm not convinced we'd want to > include it by default. Fair enough. > > but print out a warning if the key is not in debian-keyring. > > This, otoh, is not currently supported. I suppose one could have > dscverify call check_signature() twice with different keyrings. Sounds fine to me. -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part