On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi@ymail.com> wrote:
Allan McRae wrote:
The first method is what is currently used on the gpg patches that are available. The signature is made in a separate file and then is inserted in the repo db when the package is added.
I would prefer having the signature along the package. Maybe as a tar extended header. This way you can't lose the detached signature (it also means that you need to download twice as much files).
Hey, that would be cool! We wouldn't need to change the name structure of the package and would not lose the signature.
Could the trust database be updated via pacman using post_install on some pacman-keychain package?
Allan I don't see how is the pacman-keychain database going to be updated, since we should also allow the user to make manual changes so simply replacing the file wouldn't work.
There'll be a script for that, so users and the post-install script will be able to handle it without getting into the details of keyring manipulation. It will be something like: # pacman-key --import <keyfile> # pacman-key --trust <keyid> post-install would call pacman-key --updatedb and the script would delete the old keys and append the new ones, as I wrote in the reply to Allan. This must be called as root, but pacman is always called as root also, so it is not a problem. In the last case, the user will have to explicitly inform the trust level of the key. We even could automate this, but I don't think is a good idea. The user must have responsibility for his system (Arch Way rules). I'll try to commit it to gitorious as soon as I get home, so you can have a look and the discussion is brought to a more practical level too. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------