FC3T2 up2date - <package> is not signed with a GPG signature

[William Hooper]

John Reiser said:
> William Hooper wrote:
>
>> John Reiser said:
>>
>
>>> 1. Wait until all packages have been downloaded before requiring
>>> interactivity.  Dribble the individual unsigned warnings into a list
>>> box as they are detected, but do not pause for user OK until all
>>> packages have been downloaded.
>>
>>
>> up2date --nosig -du
>
> I don't understand this suggestion.  "--nosig" means do not use GPG to
> check package signatures, and overrides the configuration option if any.

Correct, so all packages are downloaded regardless if there is a signature
or not.

> However,
> if the package has a signature, then I want up2date to check the
> signature. Thus it seems that using --nosig will defeat the checking that
> could be done. If a package has no signature, then I want up2date to post
> the package name to a scrolling list box, but do not stop for interaction
> until all packages have been downloaded.

As above, this will download all packages regardless.  Now when you re-run
up2date it will check for signatures (but will stop at each package).

>  Neither "man up2date" nor any
> file in /usr/share/doc/ up2date* contains the string "du", so the argument
> "-du" seems to be undefined.

As with most commands, you can combine options into one statement.  The
docs contain the strings "d" and "u", using them together gives you "du".

>>
>>> 2. Automatically omit unsigned packages:  from the download if
>>> possible, else from the install.  This may cause other package
>>> installls to fail because of required dependencies, etc.
>>
>>
>> How do you know if a package is signed without downloading it?
>>
>
> By having an agent (or summary file) at the repository which keeps track,
>  and having up2date query and use the information.

Good luck with that, especially since we are talking the Rawhide repo,
where things being out of sync and broken don't just happen but are
expected.


-- 
William Hooper