On Thu, Jun 19, 2008 at 3:28 PM, Dan McGee <dpmcgee@gmail.com> wrote:
I'll try to summarize the points a bit; this must have come up in private discussion but never a public forum. 1. Signing databases with one sig gives no way for users to distribute signed individual packages and have them verified by pacman. 2. Signing a database is a rather big deal. Do I feel comfortable signing off on all 2150 packages in extra every single time I sign the database? Not at all. What happens if we later find out one package was compromised? The whole chain of trust has now been broken, and people can't mark a particular signature as untrustworthy to prevent installation of a given package. 3. Signing what you are in control of just seems like the more correct solution. 4. We've found a way to do signoffs on individual packages without bloating the database or number of files. PGP signatures can be put in the database itself, so it is just another verification like md5sum. The biggest reason I had against signing individual packages was the fact that .sig files would introduce a hell of a lot of clutter.
Ok, that makes sense.