On Thu, 2010-04-29 at 00:36 +0200, Linas wrote:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date are still accepted, but newer ones aren't. I don't see this easily being implemented with PGP-Keys, but maybe someone else knows more.
You can't trust a package made with a compromised key just because it looks old. That can be falsified. Packages not affected should be resigned by another developer / the new developers key. I would still recompile them, though (withouth necessarily increasing the pkgrel).
You might trust the date it if it was already in your local drive before the compromise date, but in such case you probably have it already installed, so you don't need to trust check it.
Under which circunstances would you envision the need to trust an old, compromised signature?
New install, dev for a coupl of [extra] packages has already left the team. Having to recompile everytime a dev leaves the team is additional (unnecessary) hassle IMO, especially for bigger packages (openoffice and sons, I'm looking at you).