On 25/11/10 02:31, Denis A. AltoƩ Falqueto wrote:
On Wed, Nov 24, 2010 at 1:58 PM, Allan McRae<allan@archlinux.org> wrote:
However, if you are using an external repo maintained by one person, you probably do not want to give that persons key any rights to sign other keys. So I would not want to give that key ultimate trust. However, locally signing the key would allow me to accept the packages from that repo as validly signed.
Agreed. A special key pair just for the purpose of trusting is very appropriate, specially with third party repositories. I'll update the wiki page with that advise.
I would add it as an option to the wiki rather than a complete replace. Doing that is probably overkill for people who will just use the Arch repos, in which case setting one of the "Arch master" keys to ultimate trust would be fine.
If people think the second method is reasonable, it would be good to add an option to pacman-key to allow signing (locally only) of keys.
In fact, it already has. It is the --trust option.
Ah... of course (and the --adv option is always there...). Maybe we should rename the --trust option to --edit-key to keep in line with what GPG is really doing there and to make it clear you can set more than just trust. Also, it always seemed weird to me that I was setting --trust and then had to type "trust" again at the prompt to do it.
Yeah, I can change that. I really suck at naming things :)
Cool. That is the sort of thing you do not really notice until the script is given a really good use. Overall I am finding it very useful in managing my pacman keyring. Allan