Subject: Re: [agc@netbsd.org: CVS commit: basesrc/usr.sbin/pkg_install/add]
To: None <tech-pkg@netbsd.org>
From: Alan Barrett <apb@cequrux.com>
List: tech-pkg
Date: 10/03/2001 11:31:29
On Tue, 02 Oct 2001, Simon Gerraty wrote:
> >% sudo pkg_add -s gpg $PKGREPOSITORY/skill-4.0.tgz
> >gpg: Signature made Fri Sep 21 13:07:56 2001 BST using DSA key ID 26B1CB95
> >gpg: Good signature from "Alistair Crooks "TEST KEY" <agc@pkgsrc.org>"
> >Proceed with addition of /usr/packages/i386/skill-4.0.tgz: [y/n]? y
> >%
>
> If the signature is good, is there any reason to prompt?
Somebody has to decide whether DSA key ID 26B1CB95 is an acceptable key
for the purpose of signing binary packages to be installed on this host.
There could perhaps be a mechanism for the sysadmin to pre-authorise
certain keys, but in the absence of such a mechanism a prompt seems
sensible.
--apb (Alan Barrett)