Am 20.02.2012 00:05, schrieb Gaetan Bisson:
I do not understand the purpose of this tree. Actual key verification happens when a user lsigns certain keys of their keyring, why do it here? Our public key infrastructure can cope perfectly well with a keyring package shipping corrupted keys, so long as users do some verification before lsigning the master keys.
Sure the verification in the update script is technically not needed. This is more a QA check for the package maintainer. And I'd also think it'll be good practice to ensure the the package only contains valid and fully trusted keys.
If you feel our public key infrastructure needs more security, it should be added down in the infrastructure itself rather than convenience layers such as the keyring package.
Since that tree duplicates information from archweb and data that I thought we agreed to let keyservers handle, I would consider much simpler and convenient to generate the list of packagers from archweb and retrieve the corresponding keys from a keyserver as we go in the build() function of the package.
The keyids come from archweb (maybe we can have a simple export later). We also download missing keys from the keyservers. Imho it's nice to have a local copy independent from any third party services. But sure, some of this design decisions are a matter of taste and we could even change it as we go. Imho it's more important to concentrate things that really matter here. -- Pierre Schmitz, http://pierre-schmitz.com