On Wed, Apr 28, 2010 at 6:37 PM, Linas <linas_fi@ymail.com> wrote:
I wrote about this topic ~1 month ago. You don't need PKCis or distribute the keyrings themselves. GPG supports transitive trust. The pacman keyring would be installed by default trusting on whatever keys a pacman root signature has signed (there could also be a different master key for community developers). The basic idea here is that you are not trusting the repository, but the individuals themselves. The master key -which can be kept offline and is only used when a developer joins/part- provides a basic default (people we generally trust) but a power user could reconfigure it to not accept packages signed by Pierre, because he distrusts him :), or he can add additional trusted people (a much more likely scenario) by just adding that person key to its keyring.
Hi, Linas. Yes, you are right. I'm reading about the transitive trust scheme and it really solves the most of our problems. For the interested, here comes an interesting explanation: http://www.apache.org/dev/openpgp.html#wot-verifying-links About the other comments, in fact, the web of trust explained in the link is the correct implementation of what I've thought. I'll drat a workflow and return in a while. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------