| 1 |
On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford <neddyseagoon@g.o> wrote: |
| 2 |
> |
| 3 |
> "The archive members support optional OpenPGP signatures. |
| 4 |
> The implementations must allow the user to specify whether OpenPGP |
| 5 |
> signatures are to be expected in remotely fetched packages." |
| 6 |
> |
| 7 |
> Or can the user specify that only some elements need to be signed? |
| 8 |
> |
| 9 |
> Is it a problem if not all elements are signed with the same key? |
| 10 |
> That could happen if one person makes a binpackage and someone |
| 11 |
> else updates the metadata. |
| 12 |
> |
| 13 |
|
| 14 |
IMO this is going a bit into PM details for a GLEP that is about |
| 15 |
container formats. |
| 16 |
|
| 17 |
Presumably any package manager is going to need to figure out what |
| 18 |
keys are/aren't valid and allow the user to configure this behavior. |
| 19 |
Users who want to go editing package innards will presumably adjust |
| 20 |
their package manager settings to accept their modifications, whether |
| 21 |
it means accepting their own sigs or disabling them. |
| 22 |
|
| 23 |
-- |
| 24 |
Rich |
Archives