[gobolinux-users] The package for hungarian OpenOffice2.0.4

Jonas Karlsson jonka750 at student.liu.se
Mon Nov 13 20:20:17 UTC 2006


2006/11/13, Andy Feldman <nereusren at gmail.com>:
> On 11/13/06, Jonas Karlsson <jonka750 at student.liu.se> wrote:
> > 2006/11/13, Andy Feldman <nereusren at gmail.com>:
> > > For example, when I download your GnuPG package, it errors
> > > out with "Invalid signature," with no option to install it anyway.
> >
> > [...] What does InstallPackage say
> > more than 'nvalid signature'? Does it say anything more, like that
> > some files are missing or aren't signed?
>
> InstallPackage: Installing GnuPG, version 1.4.5.
> InstallPackage: Uncompressing to /Programs...
> InstallPackage: Invalid signature.  Package has been modified
> InstallPackage: Suspect package in /Programs/GnuPG/1.4.5
> InstallPackage: Removing downloaded package
> /System/Variable/tmp/GnuPG--1.4.5--i686.tar.bz2.
>
> This is with Scripts 2.5.1 and GnuPG 1.4.1, on 012.
>
Could you run VerifyProgram on it? I think it gives a little more
information on what's wrong.

> > I thought that one
> > could install contributed packages and get that the signature was ok.
>
> I tried to submit a signed package a while ago... I know things have
> changed quite a bit since then with the signing framework, but at the
> time Lucas suggested to me to leave it unsigned if I didn't have a
> practical way of giving people my key.

I'll look into it and give you a good answer when I have the time to look at it.

>
> Incidentally, do you have your public key posted somewhere? That way I
> would be able to use your packages, at least :). I'm not very
> experienced with the public key framework, but I'd be interested in
> learning about it and trying to make it work easily with packages in
> general... A robust user-trust framework for binary packages is a
> great goal, since it would helps us get even farther away from relying
> on a single "central repository."
>
You can get my public key here:
http://pgp.mit.edu:11371/pks/lookup?search=jonka750&op=index

We're still working on the signing bits, but we're getting closer.

For user-trust, I'm not really sure how to build a good web of trust,
when we are this geographically widespread (most of us, except some
down in Brazil :) ) and few. It's very unlikely that we should
physically meet to be able to connect the lines in the web, but that's
something to think about later.

-- 
/Jonas


More information about the gobolinux-users mailing list