Bug#203741: Signature verification status
On Mon, Sep 22, 2003 at 07:07:23PM -0400, Matt Zimmerman wrote:
[..]
> I am afraid that these changes may not make it into sarge. If the release
> is delayed for other reasons, it may become possible, but I would rather
> release in December without signature checking than in March with it. I'm
> open to input from release-type folks about this, and so CCing
> debian-release.
>
> There still remain these outstanding issues, as well:
>
> - What to do about notifying the user about insecure sources
>
> - A perpetual warning when any insecure source is present will numb the
> user to such warnings
>
> - An error would prevent users from taking advantage of unofficial sources
>
> Isaac suggested a configuration option to reject insecure sources, and I
> think that is probably a good compromise. What should this configuration
> option be called? Acquire::Require-Signed?
>
> - Tools for generating Release files and signatures
I have not follwed the discussion closly, but I would like to
encourage you to stay as close as possible with the apt-rpm
solution. This help tools like synaptic (which I maintain) to be able
to work with both versions of apt. Synaptic already supports the
siging stuff that apt-rpm provides.
I would also love to be able to test the signing stuff early to ensure
that synaptic will not break.
thanks for your good work on apt!
Michael
Reply to: