[pacman-dev] Pacman 4.0.0rc2
You don't need to be as daring this time- we've had some 246 commits since RC1. The most relevant changes is signing is about 95% functional at this point- see directions below the links. * pacman -U http://dev.archlinux.org/~dan/pacman-4.0.0rc2-1-i686.pkg.tar.gz * pacman -U http://dev.archlinux.org/~dan/pacman-4.0.0rc2-1-x86_64.pkg.tar.gz Please report any issues you may find with this package, as it is getting very close to being an actual releasable version. These are debug builds with symbols, so getting stack traces and helpful logging should be relatively straight forward if necessary. == How to enable package signature checking == 1. Install above pacman RC package. 2. sudo pacman-key --init 3. `SigLevel = Optional` in pacman.conf is the default- for more info, see man pacman.conf, but this means signatures will be checked *if available*, and there will be no error if they are not. However, due to us not having a web of trust for Arch developer keys, you will need to add this to the [options] section: SigLevel = Optional TrustAll 4. Run -Syu or any other operation that fetches packages from sync databases. When it comes time to check package integrity, you may be prompted to import keys that are not in your keychain. If a signature is available, it will be used instead of sha256sums/md5sums. -Dan
On Thu, Sep 22, 2011 at 2:27 PM, Dan McGee <dpmcgee@gmail.com> wrote:
Please report any issues you may find with this package, as it is getting very close to being an actual releasable version. These are debug builds with symbols, so getting stack traces and helpful logging should be relatively straight forward if necessary.
I'm using it in a daily basis and it is very good! I just have one issue with pacman-key. I'm using --lsign-key to sign keys locally, so gpg trusts them for validating signatures. But pacman-key is confirming the process without asking me. It just feeds 'y's to gpg, so it signs the keys without I having the chance of doing manual validation of fingerprints. I think pacman-key should just let gpg handle the process, showing information about the key and asking if I agree with that. For example, if one uses --edit-key to sign keys, a manual confirmation is needed to get a key signed. Do you agree? I can send a patch, if that's the case. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
On Thu, Sep 29, 2011 at 1:37 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Thu, Sep 22, 2011 at 2:27 PM, Dan McGee <dpmcgee@gmail.com> wrote:
Please report any issues you may find with this package, as it is getting very close to being an actual releasable version. These are debug builds with symbols, so getting stack traces and helpful logging should be relatively straight forward if necessary.
I'm using it in a daily basis and it is very good! I just have one issue with pacman-key.
I'm using --lsign-key to sign keys locally, so gpg trusts them for validating signatures. But pacman-key is confirming the process without asking me. It just feeds 'y's to gpg, so it signs the keys without I having the chance of doing manual validation of fingerprints. I think pacman-key should just let gpg handle the process, showing information about the key and asking if I agree with that. For example, if one uses --edit-key to sign keys, a manual confirmation is needed to get a key signed.
Do you agree? I can send a patch, if that's the case. If you want this level of control, why wouldn't you just use `pacman-key --edit-key`?
On Thu, Sep 29, 2011 at 6:39 PM, Dan McGee <dpmcgee@gmail.com> wrote:
On Thu, Sep 29, 2011 at 1:37 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Thu, Sep 22, 2011 at 2:27 PM, Dan McGee <dpmcgee@gmail.com> wrote:
Please report any issues you may find with this package, as it is getting very close to being an actual releasable version. These are debug builds with symbols, so getting stack traces and helpful logging should be relatively straight forward if necessary.
I'm using it in a daily basis and it is very good! I just have one issue with pacman-key.
I'm using --lsign-key to sign keys locally, so gpg trusts them for validating signatures. But pacman-key is confirming the process without asking me. It just feeds 'y's to gpg, so it signs the keys without I having the chance of doing manual validation of fingerprints. I think pacman-key should just let gpg handle the process, showing information about the key and asking if I agree with that. For example, if one uses --edit-key to sign keys, a manual confirmation is needed to get a key signed.
Do you agree? I can send a patch, if that's the case. If you want this level of control, why wouldn't you just use `pacman-key --edit-key`?
Indeed, I could. And i was, until I saw the option to sign directly. But I think it is important for the user to have an opportunity to validate the key that will be signed. It is an important operation and shouldn't be made in a hurry. That's why gpg itself requires the user to confirm before signing. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
On Thu, Sep 29, 2011 at 9:23 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Thu, Sep 29, 2011 at 6:39 PM, Dan McGee <dpmcgee@gmail.com> wrote:
On Thu, Sep 29, 2011 at 1:37 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Thu, Sep 22, 2011 at 2:27 PM, Dan McGee <dpmcgee@gmail.com> wrote:
Please report any issues you may find with this package, as it is getting very close to being an actual releasable version. These are debug builds with symbols, so getting stack traces and helpful logging should be relatively straight forward if necessary.
I'm using it in a daily basis and it is very good! I just have one issue with pacman-key.
I'm using --lsign-key to sign keys locally, so gpg trusts them for validating signatures. But pacman-key is confirming the process without asking me. It just feeds 'y's to gpg, so it signs the keys without I having the chance of doing manual validation of fingerprints. I think pacman-key should just let gpg handle the process, showing information about the key and asking if I agree with that. For example, if one uses --edit-key to sign keys, a manual confirmation is needed to get a key signed.
Do you agree? I can send a patch, if that's the case. If you want this level of control, why wouldn't you just use `pacman-key --edit-key`?
Indeed, I could. And i was, until I saw the option to sign directly. But I think it is important for the user to have an opportunity to validate the key that will be signed. It is an important operation and shouldn't be made in a hurry. That's why gpg itself requires the user to confirm before signing. I added this operation as a helpful shortcut; I'd like it to stay helpful (to me at least) by not wasting my time, and also being generally useful in a script where I can't have interactivity.
If the user wants to slow down, use --edit-key, or use --list-sigs before calling --lsign-key- we aren't forcing this down their throat by any means. I see --populate and --edit-key as interactive options, I never meant for --lsign-key to be in that same boat. Does that make sense? I'd be happy to document this better. -Dan
On Thu, Sep 29, 2011 at 11:34 PM, Dan McGee <dpmcgee@gmail.com> wrote:
I added this operation as a helpful shortcut; I'd like it to stay helpful (to me at least) by not wasting my time, and also being generally useful in a script where I can't have interactivity.
If the user wants to slow down, use --edit-key, or use --list-sigs before calling --lsign-key- we aren't forcing this down their throat by any means.
I see --populate and --edit-key as interactive options, I never meant for --lsign-key to be in that same boat. Does that make sense? I'd be happy to document this better.
Well, not really a big deal for me, anyway. I can easily change my copy of pacman-key every time it change :). I just think it is dangerous to sign without asking first, even if the user can use --list-{keys,sigs} to check the keyring before calling --edit-key. --edit-key is more bureaucratic (probably that's why gpg have --lsign-key as an command). But, as I said, it is not a deal breaker. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
participants (2)
-
Dan McGee
-
Denis A. Altoé Falqueto