On 26.03.2014 22:25, Julian Harnath wrote:
(3) Package signing is a good idea so the user can know if a package really originates from a certain source.
The discussed options are: 1. Always sign each individual package. 2. Sign only the repository file which contains packages hashes.a) Don't support signing packages at all. Requires a packages to originate from a repository in order to be able to verify the authenticity. b) Support signing packages (optionally). Would allow e.g. third-party developers to provide signed packages without a repository.
The second option only allows verifying the package authenticity (of unsigned packages) at installation time (respectively as long as the repository file is available).
CU, Ingo