tisdagen den 28 januari 2003 17.08 skrev Warly: > Oden Eriksson <[EMAIL PROTECTED]> writes: > > m�ndagen den 27 januari 2003 22.54 skrev Todd Lyons: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> Vincent will correct me if I'm wrong, but there are only three keys that > >> are used to officially sign packages in Main. Those three keys get > >> installed automatically into root's keyring when the gnupg package is > >> installed. If a developer happens to also package some Contrib rpm, the > >> sig will be good. If a community contributor packages the Contrib rpm, > >> then the end user who's installing it must go and manually retrieve > >> (just once) the packager's public key. > > > > So I guess resigning my packages while the upload procedure is running > > with one of this 3 keys is out of the question then? > > At present contrib are not signed. > > One of the idea for future is to have different keys and allow the user to > select which keys are valid for packages, for example: > > - Stable release > - Contrib stable release > - Development release > - Security updates > > e.g. the user will have to explicitely select development key to be able to > install cooker packages on a stable release. > > It is not likely that we have time to do this for 9.1.
I know very little about this, but could we make a rpm package containing contributers public keys and put that one in main? -- Regards // Oden Eriksson, Deserve-IT.com
