5 Mar
2012
5 Mar
'12
9:42 a.m.
On 05.03.2012 10:39, Christian Hesse wrote:
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily accepted, no?
So when will database files from official packages be signed?
And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files.
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired" -- Florian Pritz