On 10/25/11, Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> wrote:
The trust problem is complex, indeed, but we can at least mitigate it doing the following (it's what I do):
1. set TrustedOnly, instead of TrustAll 2. import the keys when pacman asks 3. # pacman-key --edit-key <email or id for key>. That will open a gpg session. 4. go to http://www.archlinux.org/developers/ and/or http://www.archlinux.org/trustedusers/ to check the new signatures 5. sign the key, checking if the fingerprint is correct, according to the websites from step 4 5. perform save to apply the changes
That way, one can be a little more secure when trusting the keys. The point is always checking with different places. Today, there are the keyservers and the Arch developer info pages. Some day, there could be more options (read-only wiki page, fixed BBS posts), so if one is compromised, the others can serve as checkpoints for integrity.
IMHO, I don't like TrustAll very much (and the equivalents concepts in other distributions). It takes the responsibility from the users, who are the ultimate decision makers of their systems. But that is just my opinion (not an invitation to a long pointless discussion). We have options enough to satisfy everyone.
Thanks for the suggested steps. That tells me a bit more about the process. I may give that a try fairly soon.I've done very little with pgp; just setup a personal pgp key pair several years ago and use it with some of my e-mail but other than that, just pretty much left it alone. It seemed like any time I read much about this encryption stuff, it seemed to rise right up way over my head. I suppose I should try and get my head more around this encryption stuff sooner than later.