Am 03.11.2013 11:03, schrieb Allan McRae:
If an attacker obtains any of our packagers keys then they can sign a package. So by your logic we should not be signing packages.
Also, this is the way every other distro signs their databases and packages. And they all use gpgv to verify packages which has no idea about a web of trust. This seems like something we should be able to achieve...
Finally, I think signing databases is far more important than signing packages. The most practical attack on Arch is to become a mirror and hold back package updates with known vulnerabilities. Then you even know the IP addresses of people who have the vulnerable package. DB signing stops this as the entire database needs held back and people will notice the lack of updates.
I tend to fully agree with Allan here. We need to sign databases and the risk of having the signing key on nymeria is smaller than you make it look.