On Thu, Mar 27, 2008 at 04:17:04PM +0100, Raphael Hertzog wrote: > On Thu, 27 Mar 2008, Robert Millan wrote: > > I think debian-keyring and gnupg would fit better in Recommends than in > > Suggests. dpkg-source can't work securely without them. > > This is a strong assertion... dpkg-source checks signatures but it's only > an informational step. It will never fail due to a problem with the GPG > signature.
It can't really be anything but informational. The user is in control, so even if dpkg-source aborted with an error, user could use the --ignore-that-error flag if present, or otherwise use tar & patch manually. Anyway, the fact that it is informational doesn't make it less important. Information on whether you have to trust your ISP or not in order to build a package from source is desirable most of the time, and can be critical in some circumstances, IMO. -- Robert Millan <GPLv2> I know my rights; I want my phone call! <DRM> What use is a phone call… if you are unable to speak? (as seen on /.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
