[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

package signatures [was: Re: gnupg-doc of standard priority?]

On Mon, 2002-07-15 at 12:23, Anthony Towns wrote:
> On Mon, Jul 15, 2002 at 12:16:08PM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> > On Mon, 2002-07-15 at 11:45, Anthony Towns wrote:
> > > On Mon, Jul 15, 2002 at 02:28:54AM -0700, Sean 'Shaleh' Perry wrote:
> > > > gnupg itself is not really a requirement for most users it is there more
> > > > because we developers need it for Debian itself.  
> > > Is this where we invite people to trojan your Debian mirror, and
> > > demonstrate gpg's utility for the average Debian user, btw?
> > Sorry to jump in here, but gpg is *not* useful in terms of pkg
> > management for the average user as long as debs are not auto-checked on
> > install by dpkg.
> Auto-checking by dpkg is overrated.

Not sure what you mean here. IMHO the end-users should not even be
required to care about pkg integrity beyound saying 'yes, this one
pkg/key is trusted' once, but should be warned if an untrusted pkg is
accidentally downloaded. Wouldn't this require all pkgs to be checked?

[Yes, this issue has probably been beaten to death previously. Anybody
has the link to the most recent discussion handy?]

> > (And this in turn, of course, is not going to happen
> > until a properly defined trust infrastructure is in place, probably with
> > a 'Debian master key' or something like that.)
> It's in beta, and there was a thread just a few days ago pointing you
> at the appropriate key and software to use.

I just found the few mails in the 'wishlist for woody+1' thread
recently. Was there some more discussion? (Probably I searched for all
the wrong keywords...)

-- vbi

secure email with gpg                         http://fortytwo.ch/gpg

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: