[2012-02-19 17:18:51 +0100] Pierre Schmitz:
As a result I created a git repo which is meant to store all packager and master keys: https://projects.archlinux.org/archlinux-keyring.git/ The advantage over putting these files directly into svn is that we could use a cleaner layout with subdirs, sign tags and verify the source. The result is a (signed) tarball which can be used in the actual package which would contain additional logic. The keyids are exported from archweb.
I do not understand the purpose of this tree. Actual key verification happens when a user lsigns certain keys of their keyring, why do it here? Our public key infrastructure can cope perfectly well with a keyring package shipping corrupted keys, so long as users do some verification before lsigning the master keys. If you feel our public key infrastructure needs more security, it should be added down in the infrastructure itself rather than convenience layers such as the keyring package. Since that tree duplicates information from archweb and data that I thought we agreed to let keyservers handle, I would consider much simpler and convenient to generate the list of packagers from archweb and retrieve the corresponding keys from a keyserver as we go in the build() function of the package. And there should be no need to manually verify anything but the master keys: if there is, that would be a flaw in GPG and/or the use pacman makes of it, not the keyring package. Cheers. -- Gaetan