On Tue, Aug 05, 2003 at 10:47:22AM -0500, Aleksander Demko wrote: > On Sat, 2003-08-02 at 09:09, Michael Stenner wrote: > > gpgcheckbonus = 10 # added if gpgcheck is on > > Just 10? So, a non-gpgcheck repository can override rpms that I receive > from a gpgcheck repository? I realize this is probably what happens now, > but wouldn't it be more secure/understandable to only use the gpgcheck > repo when they're provided for certain rpms? Of course, this dooes not > help the case where people provide signed rpms, but using a different > key than say Red Hat. Ugh. > > Or am I the only one that doesn't replace rpms that came with redhat > with say ximian stuff, etc? :) The specific example you quote above was only intended as example syntax for a possible form of package/repository scoring. I was not making any claims about the value of gpg-checking. You can make the number -10 or 10000000 and it would make my point just as well. -Michael -- Michael Stenner Office Phone: 919-660-2513 Duke University, Dept. of Physics mstenner@xxxxxxxxxxxx Box 90305, Durham N.C. 27708-0305
