[PlanetCCRMA] Re: GPG key ?

[Axel Thimm]

On Sat, Jan 03, 2004 at 04:52:04PM -0800, Fernando Pablo Lopez-Lezcano wrote:
> > guys, I'm just frolicking around with PlanetCCRMA, but my APT
> > (apt-0.5.15cnc1-0.fdr.3.1) refuses to install since, 
> > 
> > 	Unsigned /var/cache/apt/archives/faad2_2.0-1.rc3.rhfc1.ccrma_i386.rpm: sha1 md5 OK
> > 	E: Error: 1 unsigned packages
> >
> > the package is unsigned. Any chances of having a GPG signature and
> > signing the packages?

While it is not wrong to sign packages, given the lack of a Web of
Trust it is also only faking a false sense of security. This was
discussed at fedora.us to death, and many repo mainainers protested
that this would kick their repos out of scope.

Since fedora.us has anyway a monoculture policy with an explicit
reiterated statement of rejecting cooperations with all other repos,
you are best to replace your apt with one from another repo. Some even
assumed the above requirement to have less to do with overjealous
security concerns, but to be rather a policy of depreciation.

I'd recommend ATrpms', but freshrpms and dag also provide apt rpms
without the above requirement.

But signing the packages is not wrong at all.

> It is in my evergrowing list of things to do. Maybe there is an option
> in that package to disable this check? What is the contents of your
> /etc/apt/apt.conf?

BTW signing packages reenforces a new download. At least that was so,
when I started to sign packages a year ago. So signing them all at
once, may force a complete refetch from all PlanetCCRMA users, so it
should perhaps be tested, if this still holds true with current apt
versions (I believe that was reported as a bug and was fixed by
Conectiva, but I am not sure).
-- 
Axel.Thimm at physik.fu-berlin.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://cm-mail.stanford.edu/pipermail/planetccrma/attachments/20040104/73eeae58/attachment.sig>