On Thu, Dec 18, 2008 at 10:42 AM, Pierre Schmitz <[email protected]> wrote: > Am Donnerstag 18 Dezember 2008 17:22:25 schrieb Aaron Griffin: >> I think "Optional" makes sense in some cases. Let's take the community >> repo, where things tend to be a hodge-podge of ideas and attitudes. I >> can imagine half the packages being signed, some being unsigned, and >> some being signed by keys not in the keyring. > > Well, if that will be the case we can forget about the whole signing stuff. > One "unprotected" package is enough to inject your custom code.
Right, but that's not what I'm saying. As a user, I might not care. Actually, I don't. Here's our cases: People who care about super-secure packages: Set things to "Always" and then your system will only install signed packages Middle of the road people: Set core and extra to "Always" and other repos to either "Never" or "Optional". People who don't care: Everything is set to "Never". See, I fall in the middle case. I'd love to have everything signed, but I know it won't happen for everything all the time. So, if I set community to "Always", I'm going to run into a case where I want to install a package from community that is unsigned. We need a "fuck it, install it anyway" case. Now, instead of the "Optional" setting, if there was a --skip-signature flag that I could use, I would also be sated. Either way, I'd just like to see a case where I can force it to skip the signature check. _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
