Bug#203741: Signature verification status

[Michael Vogt <mvogt@acm.org>]

On Mon, Sep 22, 2003 at 07:07:23PM -0400, Matt Zimmerman wrote:
[..]
> I am afraid that these changes may not make it into sarge.  If the release
> is delayed for other reasons, it may become possible, but I would rather
> release in December without signature checking than in March with it.  I'm
> open to input from release-type folks about this, and so CCing
> debian-release.
> 
> There still remain these outstanding issues, as well:
> 
> - What to do about notifying the user about insecure sources
> 
>   - A perpetual warning when any insecure source is present will numb the
>     user to such warnings
> 
>   - An error would prevent users from taking advantage of unofficial sources
> 
>   Isaac suggested a configuration option to reject insecure sources, and I
>   think that is probably a good compromise.  What should this configuration
>   option be called?  Acquire::Require-Signed?
> 
> - Tools for generating Release files and signatures

I have not follwed the discussion closly, but I would like to
encourage you to stay as close as possible with the apt-rpm
solution. This help tools like synaptic (which I maintain) to be able
to work with both versions of apt. Synaptic already supports the
siging stuff that apt-rpm provides. 

I would also love to be able to test the signing stuff early to ensure
that synaptic will not break. 

thanks for your good work on apt!
 Michael