On Mon, Sep 22, 2003 at 07:07:23PM -0400, Matt Zimmerman wrote: [..] > I am afraid that these changes may not make it into sarge. If the release > is delayed for other reasons, it may become possible, but I would rather > release in December without signature checking than in March with it. I'm > open to input from release-type folks about this, and so CCing > debian-release. > > There still remain these outstanding issues, as well: > > - What to do about notifying the user about insecure sources > > - A perpetual warning when any insecure source is present will numb the > user to such warnings > > - An error would prevent users from taking advantage of unofficial sources > > Isaac suggested a configuration option to reject insecure sources, and I > think that is probably a good compromise. What should this configuration > option be called? Acquire::Require-Signed? > > - Tools for generating Release files and signatures
I have not follwed the discussion closly, but I would like to encourage you to stay as close as possible with the apt-rpm solution. This help tools like synaptic (which I maintain) to be able to work with both versions of apt. Synaptic already supports the siging stuff that apt-rpm provides. I would also love to be able to test the signing stuff early to ensure that synaptic will not break. thanks for your good work on apt! Michael
