On Tue, Dec 04, 2012 at 11:32:22AM +0100, Dominique Leuenberger a.k.a DimStar wrote:
Quoting Michal Vyskocil <mvyskocil@suse.cz>:
I would say having .keyring with a package, proposed by Ludwig, is better solution. It increases a flexibility and reduce the need of the special package for submission.
Security vs comfort/flexibility... as usual :)
I would not say having one central keystore is more secure - you would need to trust package maintainers and now you have to trust the review team, which is a trustful group, isn't it? ;-)
I agree that a manual review is not the coolest approach ever, but that
1.) Can't be easily workarounded 2.) Needs to be done only for the first time - all other changes will be rare
But it is a good idea to have something in a webui showing big-red-something during .keyring file change.
This part I consider really important for 'us' reviewers... I'm afraid it's too easy to be missed otherwise.. if we add a 'big red warning' we can also link to a 'review howto'.. as we will likely not to it daily :)
I will sumit a feature for OBS, but I'd like to wait till all rough points will be clear. Atm, there are * move it to source checking * central keystore Anyway a link to documentation is a great idea, I'll add it then. Regards Michal Vyskocil