[pacman-dev] Package signing again....
Hello, i would like to push this again, as a remainder... Maybe there are now more pacman Devs with the time to continue the work on GPG signed packages. We have the threads in 12/2008 here: http://www.archlinux.org/pipermail/pacman-dev/2008-December/007761.html http://www.archlinux.org/pipermail/pacman-dev/2008-December/007808.html I'd have the impression we're on a good way there - but lack of man power... Regards Gerhard
Gerhard Brauer wrote:
Hello,
i would like to push this again, as a remainder... Maybe there are now more pacman Devs with the time to continue the work on GPG signed packages. We have the threads in 12/2008 here: http://www.archlinux.org/pipermail/pacman-dev/2008-December/007761.html http://www.archlinux.org/pipermail/pacman-dev/2008-December/007808.html
I'd have the impression we're on a good way there - but lack of man power...
I made notes of the additional patches that might be useful to add to Dans new_gpg branch here: http://wiki.archlinux.org/index.php/Pacman_Roadmap Allan
On Tue, Jun 30, 2009 at 8:19 PM, Allan McRae<allan@archlinux.org> wrote:
Gerhard Brauer wrote:
Hello,
i would like to push this again, as a remainder... Maybe there are now more pacman Devs with the time to continue the work on GPG signed packages. We have the threads in 12/2008 here: http://www.archlinux.org/pipermail/pacman-dev/2008-December/007761.html http://www.archlinux.org/pipermail/pacman-dev/2008-December/007808.html
I'd have the impression we're on a good way there - but lack of man power...
I made notes of the additional patches that might be useful to add to Dans new_gpg branch here: http://wiki.archlinux.org/index.php/Pacman_Roadmap
Yeah, lack of manpower/interest/etc. We'll see if it ramps up a bit after 3.3 in the next two weeks, but it is definitely still in our minds. -Dan
IMHO it is a lack of direction rather than lack of man power. If there is a correct road map/consensus of what/how we want to implement, i am sure there are few persons here(including me) who would like to see this implemented and are ready to work on this. I understand that the current pacman devs are quite busy at the moment with next 3.3 release, but if they can come up with a higher level design of what needs to be implemented, we can start working on the boring part of coding and other details :) . This will also remove the uncertainty of whether the patches will get accepted or will need a complete rework after spending a lot of time on this. On Tue, Jun 30, 2009 at 9:56 PM, Gerhard Brauer <gerbra@archlinux.de> wrote:
Hello,
i would like to push this again, as a remainder... Maybe there are now more pacman Devs with the time to continue the work on GPG signed packages. We have the threads in 12/2008 here: http://www.archlinux.org/pipermail/pacman-dev/2008-December/007761.html http://www.archlinux.org/pipermail/pacman-dev/2008-December/007808.html
I'd have the impression we're on a good way there - but lack of man power...
Regards Gerhard
_______________________________________________ pacman-dev mailing list pacman-dev@archlinux.org http://www.archlinux.org/mailman/listinfo/pacman-dev
On Wed, Jul 1, 2009 at 11:19 AM, unohu<unohu0@gmail.com> wrote:
I understand that the current pacman devs are quite busy at the moment with next 3.3 release
I don't know exactly who the current pacman devs are, but I suspect they are busy with other things than pacman :)
unohu wrote:
IMHO it is a lack of direction rather than lack of man power. If there is a correct road map/consensus of what/how we want to implement, i am sure there are few persons here(including me) who would like to see this implemented and are ready to work on this.
I understand that the current pacman devs are quite busy at the moment with next 3.3 release, but if they can come up with a higher level design of what needs to be implemented, we can start working on the boring part of coding and other details :) .
This will also remove the uncertainty of whether the patches will get accepted or will need a complete rework after spending a lot of time on this.
Well, start writing a wiki page about how this should be implemented and request comments. A rough starting point are already given on the git branch and additional patches mentioned in the roadmap wiki (http://wiki.archlinux.org/index.php/Pacman_Roadmap). Allan
On Wed, Jul 1, 2009 at 4:19 AM, unohu<unohu0@gmail.com> wrote: > IMHO it is a lack of direction rather than lack of man power. If there is a > correct road map/consensus of what/how we want to implement, i am sure there > are few persons here(including me) who would like to see this implemented > and are ready to work on this. > > I understand that the current pacman devs are quite busy at the moment with > next 3.3 release, but if they can come up with a higher level design of what > needs to be implemented, we can start working on the boring part of coding > and other details :) . > > This will also remove the uncertainty of whether the patches will get > accepted or will need a complete rework after spending a lot of time on > this. I don't know if anyone really has a clear idea of how this should work. So it's difficult to give a "high level" design here. >From my point of view: * Should be optional, possibly per repo (so we can use signed packages from core and extra, and unsigned packages from mycustomrepo) * Needs to get keys from some keychain somehow * Should be rather transparent once turned on That's all I really care about.
Aaron Griffin schrieb: > I don't know if anyone really has a clear idea of how this should > work. So it's difficult to give a "high level" design here. > >> >From my point of view: > * Should be optional, possibly per repo (so we can use signed packages > from core and extra, and unsigned packages from mycustomrepo) > * Needs to get keys from some keychain somehow > * Should be rather transparent once turned on First of all, I wouldn't use GPG like was suggested in the past, but some real certificates (openssl or gnutls can do this). First we create an Arch Linux certificate authority. Then we generate certificates for all developers and trusted users. Now this is what's going to happen on the pacman end: Pacman has a list of trusted certificates. This would only have to include the Arch Linux CA certificate and certificates for all community repositories that are used on the machine in question. Other certificates can automatically be downloaded and verified. When installing a package with -S, during the "checking integrity" stage, pacman checks for a file "signature" in the db.tar.gz that contains a signature. If it is valid, the installation continues, otherwise aborts. If there is no "signature" file, pacman prints a warning (or aborts, depending on its configuration). Now all that has to be done is generate the signature when running makepkg, upload it with devtools and make repo-add support adding the signature file. This is not at as complicated as you put it :)
participants (7)
-
Aaron Griffin
-
Allan McRae
-
Dan McGee
-
Gerhard Brauer
-
Thomas Bächler
-
unohu
-
Xavier