PackageKit Misconceptions
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Thu Aug 23 15:16:08 UTC 2007
Jeff Spaleta wrote:
> On 8/22/07, Owen Taylor <otaylor at redhat.com> wrote:
>> I'm sure we can work with legal to come up with something acceptable.
>
> I hope so. I just want to make sure you guys don't go crazy on
> implementation mock-ups just to get your bubbles bursted by the
> non-technical constraints.
>
> End of the day reality:
> the gpg importation dialogs that we have are pretty meaninglist to
> self-admining users. Being able to offer some sort of measure of
> "trust" in the validity of repository keys would do a lot and would
> allow us to deny importation and redirect users to our authority site
> for an explanation of the denial.
>
> Though how we handle local network repositories that we can't act as
> an authority for...that's a tougher question. It's easy to forget that
> .edus and even .coms can and will have internal repositories that
> desktop installs will be encouraged to use. These repos are absolutely
> and utterly hidden from scrutiny from any public authority.
>
> I still think there are some inherent problems with reputation
> associated with any definition of "safety", but we've got months to
> argue over that if things come to that.
>
> -jef
>
Dumb question - would it be possible to sign the gpg keys of the
repos with the Fedora key, and then report the signature as part of
the import dialog? (I know it can be done technically, but I am not
sure how practical/legal it would be...)
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/desktop/attachments/20070823/f6d73170/attachment.bin
More information about the desktop
mailing list