From: Tim D. Jr. <ti...@te...> - 2007-05-24 18:23:56
|
Hi Gary, I'd just like to add my small voice to the chorus: On May 24, 2007, at 10:40 AM, Gary King wrote: > > I see your point regarding requiring a license file but I'm not sure > that I agree because ASDF-Install already has several "loopholes": > > * you can set *verify-gpg-signatures* to nil or to a list of trusted > locations > * you can choose a restart around an invalid or untrusted signature > It seems to me that these are choices made by the person installing a package, whereas making a package without a signature is a choice made by the person providing the package. I'm okay with opting out of the signature verification on my end if it's expedient, but I'm not really down with a potential proliferation of unsigned packages. In my world, an unsigned package should not be called ASDF-INSTALLable. Cheers, Tim |