On Sat, Apr 01, 2000 at 12:15:01PM +1000, Anthony Towns wrote: (among many other minor typos) > You can differentiated probably good but outdated old packages, and probably ^^^^^^^^^^^^^^^^^^ This should read "can't differentiate". Whoops. > bad but outdated old packages, no. On the upside, you can still verify that > once upon a time they *were* trusted. You also can't verify whether they're still trusted now or not, assuming they're not from the current stable. Also, upon a little reflection, I might add... > Let me be somewhat linear for a moment. This is what I'm claiming: > current-system < dinstall-key, signed-debs < dinstall-key & signed-debs ...that I'm more than happy to concede that, personally, for my circumstances, I believe: current-system < dinstall-key < signed-debs < dinstall-key & signed-debs If I had a choice between dinstall-key and signed-debs being implemented tomorrow, by someone else, with no work by me, especially with the proviso that only one of them would be done, ever, I'd choose signed-debs. But that's not the choice I have. The choice I have is that I *can* implement dinstall-keys, with probably a few days work, so that both apt and dinstall support it, most of which time would be spent working out how apt and dinstall are meant to work. I'm far less confident of being able to implement signed-debs; both because the dpkg code scares me, and getting the semantics of verification right (accepting signatures by any key from debian-keyring, but only keys from debian-keyring for most packages, and only James' key for debian-keyring) and working out how to update "James" in case he retires, scares me too. And not only this, but I can implement the former in the knowledge that it won't stop the latter from being done too. But unfortunately that's not quite the choice I have either, since for some reason that I can't fathom, people seem to think that a dinstall key would be an abomination to man and God and I'd probably be summarily kicked out of the project as soon as I tried sending a patch somewhere. Or at least it'd never get applied. So really, I have the choice between trying to convince people that giving dinstall a key of its own isn't actually as horrendous as people think, and that it's actually, to some extent, a Good Thing, or just learning to live with it. And thus this thread. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG encrypted mail preferred. ``The thing is: trying to be too generic is EVIL. It's stupid, it results in slower code, and it results in more bugs.'' -- Linus Torvalds
Attachment:
pgpeLDBIIe4Qh.pgp
Description: PGP signature