On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> wrote:
Hi, Allan and Aleksis.
I was thinking about this problem for sometime and the more complex part is the key distribution and trusting. Now I maybe came to something usefull.
I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature is discarded and a new one is made, with an official Arch key.
So the problem of distributing keys is solved. We just need to distribute and trust the official public key of Arch. If some new developer comes to the team, its digital fingerprint is added to the list of trusted devs. If someone is removed, its fingerprint is removed. The users will trust in anything the server has signed, because the physical access to the private key is kept safe (so we hope :)). If some developer loses the confidence in his key, he can generate another and send the fingerprint to the admin, so it can be added toe the trusted list.
I am willing to help with any efforts in this area. I'm already subscribed in pacman-dev and if this discussion pops up there, count me on.
[1] - there should be a list of fingerprints of trusted devs, only writeable by a few admins.
Why not just use openssl instead of gpg then? You have a root cert which sings the individual pub keys of every dev. To verify the packages users just have to trust the root cert. This does even support some kind of revoke etc.. (you could even sign the root cert by an external entity like cacert to make it even more secure. -- Pierre Schmitz, https://users.archlinux.de/~pierre