On Tue, Jun 3, 2008 at 1:59 AM, Pierre Schmitz <email@example.com> wrote:
> Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier:
>> We have to think about the default interaction.
>> It would be easy to sign all packages as the first step, so excepting
>> signed packages for the first pacman release including GPG support seems
>> fair to me. I think asking confirmation from the user in case packages
>> are not signed, like apt tools do.
> First: great work and thanks for starting the gpg-signing in pacman. Imho we
> should force devs to sign packages by default. Because the whole thing will
> become useless if only one single package in our repos is not signed.
Keep in mind that this is
1. An Arch decision, not a pacman decision
2. A policy decision, not something that should be enforced by pacman code
Enforcing this at the Arch-specific dbscripts level would be OK, but I
don't think it is wise to force makepkg/pacman to sign all packages,
especially those that are built for local use only. Some people don't
have PGP keys so this would be a pain in the ass.
pacman-dev mailing list