On Thu, Jun 19, 2008 at 7:26 AM, Geoffroy Carrier <geoffroy.carrier@koon.fr> wrote:
Excerpts from Xavier Chantry's message of Thu Jun 19 11:52:49 +0200 2008:
There was a suggestion of just signing the database instead of every packages : http://bugs.archlinux.org/task/5331?project=3 But I guess it makes more sense to have the packager sign his own package just after creating it, and that it is more secure that way. Is that the reason why the other simpler system was not considered? As far as I can see, no one commented to that idea yet. Who would sign it? Aaron Griffin? What does he sign? How can he be sure that it's not corrupted? Does he have to move through every dev's house to physically get each part of what he signs?
I'll try to summarize the points a bit; this must have come up in private discussion but never a public forum. 1. Signing databases with one sig gives no way for users to distribute signed individual packages and have them verified by pacman. 2. Signing a database is a rather big deal. Do I feel comfortable signing off on all 2150 packages in extra every single time I sign the database? Not at all. What happens if we later find out one package was compromised? The whole chain of trust has now been broken, and people can't mark a particular signature as untrustworthy to prevent installation of a given package. 3. Signing what you are in control of just seems like the more correct solution. 4. We've found a way to do signoffs on individual packages without bloating the database or number of files. PGP signatures can be put in the database itself, so it is just another verification like md5sum. The biggest reason I had against signing individual packages was the fact that .sig files would introduce a hell of a lot of clutter. -Dan