[Catalog-sig] [Draft] Package signing and verification process
Lennart Regebro
regebro at gmail.com
Wed Feb 6 21:45:55 CET 2013
On Wed, Feb 6, 2013 at 9:38 PM, Zygmunt Krynicki
<zygmunt.krynicki at canonical.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> W dniu 06.02.2013 19:05, Giovanni Bajo pisze:
>> Most users will just tap "yes" to get on with their task and ignore
>> this prompt.
>
> I have no solution to that.
That is the problem we are having, and the problem we need to solve.
> Ignorance is not something that can be fixed with technology.
No, but it's repercussions can be avoided.
If checking the packages manually is your solution, then we don't need
to change anything. The "non-ignorant" can already do that. Nothing is
preventing you from verifying a package before you install it. The
fact is that most people do not do so, and asking them to type "yes"
at a prompt is not going to change that. From that standpoint your
solution changes nothing (except adds a layer of annoyance) and solves
nothing.
And that's the last I'm going to say about it.
//Lennart
More information about the Catalog-SIG
mailing list