On Mon, Aug 24, 2009 at 6:19 PM, Dan McGee<dpmcgee@gmail.com> wrote:
On Mon, Aug 24, 2009 at 5:28 PM, Xavier<shiningxc@gmail.com> wrote:
On Tue, Aug 25, 2009 at 12:19 AM, Allan McRae<allan@archlinux.org> wrote:
Xavier wrote:
Just to let you know that I resurrected the gpg branch there : http://code.toofishes.net/cgit/xavier/pacman.git/log/?h=gpg
I took Dan's newgpg branch (with a few changes) : http://code.toofishes.net/cgit/dan/pacman.git/commit/?h=newgpg then merged the pending patches we had : http://archlinux.org/pipermail/pacman-dev/2008-December/007808.html http://archlinux.org/pipermail/pacman-dev/2008-December/007836.html http://archlinux.org/pipermail/pacman-dev/2008-December/007837.html and rebased it all on master.
Actually I don't see what else needs to be done on the implementation side, it looks almost complete to me.
Now the big remaining problem is everything related to key administration still needs to be figured out, and this is critical in term of security. But it might not need additional tool support.
So... how about we set up a small signed package repo somewhere and just see how this all goes? We are not going to know all the issues until we actually use it.
That's probably a good idea. I wish some people who actually knew how to use gnupg a bit could help though :)
I did a whole lot of looking and working on this today while sitting in the jury waiting room (and woo, I got picked to be on a jury, meh). I've actually worked my way back through the original patches and am about halfway through what Xavier has on his branch, and I've actually added another 3 or 4 patches to the mix. I'll try to push the "results" somewhere public tonight. I do feel the momentum on this whole thing actually moving in the right direction, however, so that is awesome.
Hopefully I will be able to continue the patch processing and tidying and keep looking at this throughout the week.
Remember only half of the patches are there: http://code.toofishes.net/cgit/dan/pacman.git/log/?h=gpg