On Sun, Nov 30, 2008 at 06:56, solsTiCe d'Hiver <solstice.dhiver@xxxxxxxxx> wrote: > i like the original idea of pierre. i had the same one ;-) > > because it's easier to implement and could be done quite quickly. it's > quite time to shift to something a little more secure, even if it's not > the *most* secure one. > as soon the db is signed, we have a minimum security (not total i know, > i read about the exploit in this thread) > > package signing could be a second step as it will take even longer to > complete (more work to be done in pacman and more things to agree upon) > > in fact, i suggest a two steps approach. > I agree. We can talk until we're blue in the face about the "ideal" way to do it, but it doesn't mean a thing if it's not implemented. Let's get *something* done, even if it's not ideal.
