1 |
On Mon, Nov 19, 2018 at 2:21 PM Roy Bamford <neddyseagoon@g.o> wrote: |
2 |
> |
3 |
> "The archive members support optional OpenPGP signatures. |
4 |
> The implementations must allow the user to specify whether OpenPGP |
5 |
> signatures are to be expected in remotely fetched packages." |
6 |
> |
7 |
> Or can the user specify that only some elements need to be signed? |
8 |
> |
9 |
> Is it a problem if not all elements are signed with the same key? |
10 |
> That could happen if one person makes a binpackage and someone |
11 |
> else updates the metadata. |
12 |
> |
13 |
|
14 |
IMO this is going a bit into PM details for a GLEP that is about |
15 |
container formats. |
16 |
|
17 |
Presumably any package manager is going to need to figure out what |
18 |
keys are/aren't valid and allow the user to configure this behavior. |
19 |
Users who want to go editing package innards will presumably adjust |
20 |
their package manager settings to accept their modifications, whether |
21 |
it means accepting their own sigs or disabling them. |
22 |
|
23 |
-- |
24 |
Rich |