On Sat, 10 Mar 2001, Wichert Akkerman wrote: > > Could it at least have an option to turn it off? APT users using the new > > secured release files are not going to want to burn the cycles to do this. > > That is an entirely different form of security check, and not as powerful > as this one.. the two are somewhat orthogonal.
I can think of no security benifit that normal users will derive from checking deb signatures when the signed release file is already being used. 'Power' users with a link to the trust network, and who are willing to wire in package->key mappings will derive a benifit, and those people can certainly turn it on. I just don't see why we need to make things even slower and less likely to work by forcing this option to default on for APT installs. The last thing I need is bug reports from people with out of date key rings complaining that their package installs don't work anymore. Jason
