[gobolinux-devel] package signing, etc...
Carlo Calica
carlo at calica.com
Thu Feb 22 08:34:05 UTC 2007
On 2/21/07, Lucas C. Villa Real <lucasvr at gobolinux.org> wrote:
> On 2/18/07, Ricardo Nabinger Sanchez <rnsanchez at wait4.org> wrote:
> > I'd suggest to mark the package as such also (installed from unchecked
> > Recipe). If the signature check failed, either the Recipe is broken/needs
> > update or a bug was triggered inside InstallPackage (thus the traceback).
> >
> > It should be easy to the (unaware) user see those quickly, and act upon them
> > (deinstall, update to a newer version, file a bug, ...).
>
> Do you have any suggestions? Marking a package in any way is going to
> either add or modify another file, and then the package will be
> automatically broken to VerifyProgram's eyes, as there will be either
> a md5sum miss or an 'invader', according to FileHash's contents. I
> think this lies in the "user's problem corner", as he/she explicitly
> asked to ignore that verification.
>
Rename FileHash to FileHash.overridden (or similar). It'll stop the
check in later runs of VerifyProgram and mark the package that the
signature was ignored.
--
Carlo J. Calica
More information about the gobolinux-devel
mailing list