[asdf-install-devel] Re: [cclan-list] ASDF-Install patch to allow installation of unsigned packages
Gary King
gwking at metabang.com
Thu May 24 17:40:23 UTC 2007
Hi Todd and Andreas,
I see your point regarding requiring a license file but I'm not sure
that I agree because ASDF-Install already has several "loopholes":
* you can set *verify-gpg-signatures* to nil or to a list of trusted
locations
* you can choose a restart around an invalid or untrusted signature
In this case, I know and trust Kevin Rosenberg and was willing to
take the risk and get the software even though it wasn't signed. I
didn't like ASDF-Install thinking it knew better than me. Without the
patch, I'm forced to download the software, unpack it, move it to the
right place, setup symbolic links, etc.
To my mind, a consistent ASDF-Install is one that allows people to
skip all of these checks (with verification). It makes no sense to
allow software to be installed with an invalid signature but prevent
it from being installed with a missing one. Are you arguing that all
of these restarts be expunged from ASDF-Install?
--
Gary Warren King, metabang.com
Cell: (413) 885 9127
Fax: (206) 338-4052
gwkkwg on Skype * garethsan on AIM
More information about the asdf-install-devel
mailing list