[asdf-install-devel] Re: [cclan-list] ASDF-Install patch to allow installation of unsigned packages
Tim Daly, Jr.
tim at tenkan.org
Thu May 24 18:17:02 UTC 2007
Hi Gary,
I'd just like to add my small voice to the chorus:
On May 24, 2007, at 10:40 AM, Gary King wrote:
>
> I see your point regarding requiring a license file but I'm not sure
> that I agree because ASDF-Install already has several "loopholes":
>
> * you can set *verify-gpg-signatures* to nil or to a list of trusted
> locations
> * you can choose a restart around an invalid or untrusted signature
It seems to me that these are choices made by the person installing a
package, whereas making a package without a signature is a choice
made by the person providing the package. I'm okay with opting out
of the signature verification on my end if it's expedient, but I'm
not really down with a potential proliferation of unsigned packages.
In my world, an unsigned package should not be called ASDF-INSTALLable.
Cheers,
Tim
More information about the asdf-install-devel
mailing list