On Thu, 2004-11-04 at 11:33 +0100, Nils Philippsen wrote: > On Mon, 2004-11-01 at 18:50 -0500, Peter Jones wrote: > > On Mon, 2004-11-01 at 17:34 -0600, Satish Balay wrote: > > > Ok - you & Seth seem to have a solution to the problem. > > > > > > Still no good explanation why ALL keys should be treated the same. > > > > Because there's nothing about a key that tells you how to treat it. > > Exactly. There's where "common sense" comes into play, i.e. I shouldn't > enable Rawhide repositories if a broken system makes me cry. We're not just talking about rawhide. We're talking about Axil's repo, and Matthais's repo, and the cdparanoia repo on my people.redhat.com site, and the repo on Seth's website. There is no common sense answer to "I have 40 keys signing things and none of them specify what the signature means". Quit thinking that we're talking about one key. We're talking about many. > Let's face it, currently a signed package only means "someone/-thing has > signed off on it" on a technical level, anything else is just what we > humans put into it and nothing tools can guess by themselves. I.e. we > can only differentiate between "keys we trust" on a certain system by > either putting them into yum.conf/sources or not. Everything beyond that > would need infrastructure that currently doesn't exist. Yes, anything beyond that needs infrastructure that doesn't currently exist. Currently yum and up2date take signatures to mean something beyond that, and they take all signatures in rpm's to equally in this regard. That means we need infrastructure beyond looking at the key and guessing wildly what a signature by it means. yum and up2date interpret a specific meaning for a package signature: if the key is known to rpm, a valid signature means the package was transmitted as intended from the signer. It's not even very difficult infrastructure to make (at least in the most naive form), but so far you've objected to nothing except my premise that people don't know what a signature means, which you now seem to agree with. What gives? -- Peter