PackageKit Misconceptions

[Jeff Spaleta]

On 8/22/07, Owen Taylor <otaylor at redhat.com> wrote:
> I'm sure we can work with legal to come up with something acceptable.

I hope so. I just want to make sure you guys don't go crazy on
implementation mock-ups just to get your bubbles bursted by the
non-technical constraints.

End of the day reality:
the gpg importation dialogs that we have are pretty meaninglist to
self-admining users. Being able to offer some sort of measure of
"trust" in the validity of repository keys would do a lot and would
allow us to deny importation and redirect users to our authority site
for an explanation of the denial.

Though how we handle local network repositories that we can't act as
an authority for...that's a tougher question. It's easy to forget that
.edus and even .coms can and will have internal repositories that
desktop installs will be encouraged to use. These repos are absolutely
and utterly hidden from scrutiny from any public authority.

I still think there are some inherent problems with reputation
associated with any definition of "safety", but we've got months to
argue over that if things come to that.

-jef