GPG-pubkeys
Jeff Johnson
n3npq at mac.com
Mon Sep 11 08:50:57 PDT 2006
On Sep 11, 2006, at 11:45 AM, Basil Chupin wrote:
> Jeff Johnson wrote:
>> On Sep 11, 2006, at 11:32 AM, Basil Chupin wrote:
>>> Jeff Johnson wrote:
>>>>
>>>> Meanwhile, there are other ways to distribute and install public
>>>> keys that
>>>> do not involve human interaction. E.g. importing the handful of
>>>> public keys
>>>> for the repository uses will avoid the necessity of answering
>>>> yes mindlessly.
>>>
>>> Which is what I am trying to suggest could be done to avoid
>>> uncompleted upgrades by using methods which do not involve human
>>> intervention.
>>>
>> Which is what I am suggesting as well. ;-)
>> FYI: checksums are easier to fake than signatures, and so
>> signatures provide a stronger
>> integrity check.
>
> Ok, understood, but I think the point here, which I am trying to
> nail, is that from what you just said, and what I understand gpgs
> to represent, is that gpgs apply to "sites* and not individual
> packages so that once "you" accept the gpg for a *site* any package
> which is on that site will be accepted without question by smart as
> an upgrade.
>
The administriation and distribution of public keys tend to be per-
site yes.
Meanwhile, the use of public keys is per-package signature verification.
73 de Jeff
More information about the Smart
mailing list