You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In fully automated environments being required to interactively acknowledge the import of gpg keys is not a viable option. Instead of silently auto-importing unknown keys - which would be a security nightmare - a list of trusted key IDs should be provided.
We decided that having a configuration option in best case would be superfluous as it is equal to having the keys already imported into the keyring. Worse, it could be a security threat if specified by the phive.xml of a malicious project, auto-importing bad keys that then would automatically be trusted.
Thus, with having the cli option only, this feature would be considered implemented.
In fully automated environments being required to interactively acknowledge the import of gpg keys is not a viable option. Instead of silently auto-importing unknown keys - which would be a security nightmare - a list of trusted key IDs should be provided.
See #66 for discussion.
The text was updated successfully, but these errors were encountered: