5a47c926c1
There's a lot of historical baggage associated with GPG verification and `ostree pull` versus `ostree pull-local`. In particular nowadays, if you use a `file://` remote things are transparently optimized to e.g. use reflinks if available. So for anyone who doesn't trust the "remote" repository, you should really go through through the regular `ostree remote add --sign-verify=X file://` path for example. Having a mechanism to say "turn on signapi verification" *without* providing keys goes back into the "global state" debate I brought up in https://github.com/ostreedev/ostree/issues/2080 It's just much cleaner architecturally if there is exactly one path to find keys: from a remote config. So here in contrast to the GPG code, for `pull-local` we explictily disable signapi validation, and the `ostree_repo_pull()` API just surfaces flags to disable it, not enable it. |
||
|---|---|---|
| .. | ||
| boot | ||
| libostree | ||
| libotutil | ||
| ostree | ||
| rofiles-fuse | ||
| switchroot | ||