[arch-general] Package signing: database signatures?
Christian Hesse
list at eworm.de
Mon Mar 5 04:39:30 EST 2012
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if
anybody wants to provide an infected package he/she only needs to provide no
signature at all and the package is happily accepted, no?
So when will database files from official packages be signed?
And even more interesting: Does it make sense to add a new option
'PkgRequired'? This could force valid signatures for packages and make it
optional for database files.
--
Best regards,
Chris
O< ascii ribbon campaign
stop html mail - www.asciiribbon.org
More information about the arch-general
mailing list