[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: the v4 signatures thing

On Fri, Jan 10, 2003 at 10:15:51AM -0500, Jeff Johnson wrote:
> Ah, "--force-v3-sigs" looks like it should be added.

Ok, good. :)

> Automagically adding pubkeys from packages needs rpm to pay attention
> to the trust bits in OpenPGP pubkeys, requiring user interaction to
> set the bit. Alternatively, warnings could be generated when package
> with pubkey is installed, but that really requires user dialogue too.

I should explain what's going on a bit more. We've got a customized distro
we use on campus here, and a key part of that is a script that uses apt to
install security updates automatically. I've got apt set up to only install
packages where a valid signature is found. I want the system to install the
proper public key for our signature at initial install time -- if the users
have to set this up, it defeats the entire purpose, because if they are
going to go to All That Effort, they'd be the kind of people who would be
installing their security updates manually on a good schedule. But they're
not. So I want the key to Just Be There.

With older RPM, this was simply a matter of putting the key on root's
keyring in the rootfiles package. But now it's become all complicated. :)

Matthew Miller           mattdm@mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []