[gobolinux-users] Re: Package Signing

Hisham Muhammad hisham.hm at gmail.com
Mon Nov 21 17:50:41 GMT 2005


On 11/21/05, Jonas Karlsson <cj.karlsson at gmail.com> wrote:
> 2005/11/20, Hisham Muhammad <hisham.hm at gmail.com>:
> > I figure the same could apply for signed recipes and Compile, except
> > that in the "no signature" case, it could ask only when Compile
> > downloads a recipe, and compile right away when using a local recipe
> > (ie, signature check when recipe is downloaded/unpacked).
> >
>
> Just a note, what happens if user denies Compile to use an unsigned
> recipe? Will it be deleted? If not, will the user get asked again if
> Compile uses the local copy that got unpacked when the user denied
> Compile?

Good question. I wouldn't want Compile to be too annoying when the
user is working on their own recipes -- for example, I wouldn't want
to be asked about an unsigned recipe when it's something I just
created with MakeRecipe. I think it's actually important to avoid
asking too much so that the user doesn't get the habit of always
saying "yes". Maybe a three-way question like this would be best:

Warning: downloaded recipe was not signed, its integrity cannot be verified.
Use it? [y]yes, [n]no, [k]no but keep it in the local repository.

But I really don't know what's best. Suggestions?

-- Hisham


More information about the gobolinux-users mailing list