* C??dric Augonnet <[EMAIL PROTECTED]> [070919 01:34]: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Would not this dumb patch (applied to the latest mercurial repository) > avoid throwing cached data away when the gpg signature is not valid ?
It will stop removing the files but it doesn't do anything to warn the user and ask for special permission. There is a reason for the gpg check, to protect against malicious attackers changing the kernel sources without the users noticing it. If the user doesn't have the key to check against he should be warned about it and subsequent attempts should fail as well, unless the user explicitly overrides the gpg check. I believe this patch is incomplete in its current form. Baruch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
