+1 to that.
Reviewing yum to learn any lessons for our repository work is also a
good idea I think.
On Thu, 13 Jan 2005 15:47:35 -0500, Tim O'Brien <[EMAIL PROTECTED]> wrote:
> It should be the user's discretion, but it also might be a good thing to
> default to the most secure setting. Similar to the new version of yum, it
> won't connect to yum repositories unless you import keys from the
> repositories, or turn off key verification - secure by default.
> -----Original Message-----
> From: Brett Porter [mailto:[EMAIL PROTECTED]
> Sent: Thu 1/13/2005 2:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: repo security
> > Would we be talking about "gpg --armor --output
> > commons-foo-1.2.jar.md5.asc --detach-sig commons-foo-1.2.jar". Or, is
> > there some other mechanism we would need to go through?
> This is what I'd intended to do in Wagon using Bouncycastle. And as
> Steve mentions, it can be at the users discretion: skip it, check it
> from the same location, check it, getting keys from a specified
> trusted location, only trust if the key is already in my keychain are
> probably the levels.
> - Brett