[gobolinux-devel] package signing, etc...
Lucas C. Villa Real
lucasvr at gobolinux.org
Wed Feb 21 21:05:29 UTC 2007
On 2/18/07, Ricardo Nabinger Sanchez <rnsanchez at wait4.org> wrote:
> On Sun, 18 Feb 2007 09:31:21 +0100
> Jonatan Liljedahl <lijon at kymatica.com> wrote:
>
> > Here's a patch for InstallPackage that adds a -S/--no-sign-check option!
Thanks, I've just commited that.
> I'd suggest to mark the package as such also (installed from unchecked
> Recipe). If the signature check failed, either the Recipe is broken/needs
> update or a bug was triggered inside InstallPackage (thus the traceback).
>
> It should be easy to the (unaware) user see those quickly, and act upon them
> (deinstall, update to a newer version, file a bug, ...).
Do you have any suggestions? Marking a package in any way is going to
either add or modify another file, and then the package will be
automatically broken to VerifyProgram's eyes, as there will be either
a md5sum miss or an 'invader', according to FileHash's contents. I
think this lies in the "user's problem corner", as he/she explicitly
asked to ignore that verification.
--
Lucas
powered by /dev/dsp
More information about the gobolinux-devel
mailing list