On Tuesday 27 June 2006 10:32, MJ Ray wrote:
> IIRC debian solves this problem with the debian-keyring
> package (to get you started quickly, you want the keys on
> the installation CD really) and you can set gpg to download
> unknown keys automatically from the keyservers of your choice
> (keyring.gobolinux.org?). Maybe InstallPackage could call gpg
> with the right options to use goboring and download unknown
> keys from an official server?
I agree that the Debian setup is nice. However, I don't like the idea of
having unknown keys downloaded from an official server. "Official" server is
just that--it should be used for official packages, that are all signed by an
official key. For unofficial, third-party packages, there needs to be a way
of fetching keys that, by definition, can't be stored on an official server.
> Including a download URL in the package seems unnecessary.
Except when installing third-party packages. I run into this from time to
time when running Kubuntu--it's nice that most of the third-party KDE
packages include on-line instructions where to get the key, but it would be
even nicer to have the option to fetch the key without having to hunt down
the installation instructions.
:Peter
_______________________________________________
gobolinux-devel mailing list
gobolinux-devel@lists.gobolinux.org
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
