On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae <allan@archlinux.org> wrote:
pacman-key: - tool to manage pacman keyring - TODO: man page needs tidying/clarification
I'll try to work on that, but everyone is very welcome to help.
repo-add: - adds package signature (base64) to repos if available when adding package - has option to sign a repo after creation and verify current signature before making changes - TODO: check signature used to verify is not only good but is also in a list of accepted keys (???)
Good point, I'll try to do that too.
- TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html)
pacman: - reads in keys from repo-db and decodes them when needed - reads in .sig files when beside a package being loaded from the filesystem - integrated gpgme into pacman for signature verification - provide options to control signature verification on a per repo basis - verifies signatures of packages when installing from repo - TODO: create directories needed for keyring during "make install"
That is in the PKGBUILD for pacman, isn't?
- TODO: verify signatures for packages installed from filesystem (???)
I'll check if it is being done, but if I'm not mistaken, it is currently implemented.
- TODO: download and verify signatures of dbs (patches: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html)
I think the very last TODO there is the only thing stopping us from getting some actual testing of this work underway. I think I have my head around what the two patches are doing now, but I am not sure I like the "how" of that doing. So I will make an attempt into hacking them as I see fit in the next few days... Then I will publish a signed repo with a pacman-git and we can see how this all goes!
Please, don't hesitate in asking if you have any questions about the implementation details. Or if you want to delegate the real work, you can ask me to change specific details. Just say what to do and i can help. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------