On Fri, May 7, 2010 at 9:28 AM, Aleksis Jauntēvs <aleksis.jauntevs@gmail.com> wrote:
Still thinking further - if the signatures are updated with pacman-keyring package, what if user doesn't update often and skips one or more versions of this package? Does this means that user still will have some unremoved signatures in his pacman keyring? Correct me if I understand this wrong.
The nomenclature for the "added" keys file is not really the best. The idea is that it would be the set of current valid keys. So, the updatedb process would just be: current keyring - deleted keys + valid keys. When a key is approved, it goes to the set of valid keys and stays there until it is revoked or disabled by moving it to the deleted keys set. So, even if a user miss a pacman-keyring package update, the next will still contain all valid keys and the result will be correct.
And other question, if some developers key becomes invalid, how to deal with all packages in the repos signed with this signature?
I think they should be at least re-signed by a valid dev key. Maybe, if some package was compromised, it should be rebuilt and re-signed by a valid dev key. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------