Hi all, while working on our keyring package again I am still stuck at this question. pacman-key --populate checks if the files to import are signed. The man page tell us: This prevents a potentially malicious repository adding keys to the pacman keyring without the users knowledge. But I don't get the reasoning here at all. If I install a malicious package, it's install function is run as root and can do anything; including bypassing the --populate function and call gpg directly. If I miss anything here please let me know as I couldn't find out. Removing this check would safe me from reinventing the wheel and I don't have to create a script which does exactly what --populate does but without the check. This check prevents us from a simple bootstrap; and we gain no improved security if we let the user do it manually. (think about what a malicious package would do) In details this means removing the call to verify_keyring_input in pacman-key and then remove the now unused functions verify_keyring_input and validate_with_gpg. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com