+1 to that.

Reviewing yum to learn any lessons for our repository work is also a
good idea I think.

- Brett


On Thu, 13 Jan 2005 15:47:35 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote:
> It should be the user's discretion, but it also might be a good thing to 
> default to the most secure setting.  Similar to the new version of yum, it 
> won't connect to yum repositories unless you import keys from the 
> repositories, or turn off key verification - secure by default.
> 
> Tim
> 
> -----Original Message-----
> From: Brett Porter [mailto:[EMAIL PROTECTED]
> Sent: Thu 1/13/2005 2:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: repo security
> 
> > Would we be talking about "gpg --armor --output
> > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
> > there some other mechanism we would need to go through?
> 
> This is what I'd intended to do in Wagon using Bouncycastle. And as
> Steve mentions, it can be at the users discretion: skip it, check it
> from the same location, check it, getting keys from a specified
> trusted location, only trust if the key is already in my keychain are
> probably the levels.
> 
> - Brett
> 
> 
>

Reply via email to