[arch-dev-public] Proposed news item: Package verification
Hi everyone, How about the following news item? ======== Title: Having pacman verify packages Over the past six months, pacman has had package verification features, although they were turned off while we were still figuring out the details of our public-key infrastructure. This work has resulted in the <a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a> which contains all the data you need to authenticate packages as made by official Arch packagers (developers and trusted users). Having pacman verify packages is now as easy as doing: pacman -Syu archlinux-keyring pacman-key --init pacman-key --populate archlinux The archlinux-keyring package contains five master keys that are used to authenticate official Arch packagers, so you do not need to know who joins or leave the team: you just have to verify those five master keys once and for all. This last command will prompt you to do so; please do this cautiously by checking the fingerprints displayed against <a href="https://www.archlinux.org/master-keys/">those published on our website</a>. Then, set the following in your pacman.conf: SigLevel = PackageRequired TrustedOnly And you should be good to go! For more details on the development of pacman and archlinux-keyring, see the blog posts of <a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a> and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>. ======== Cheers. -- Gaetan
On 30/04/12 08:59, Gaetan Bisson wrote:
Then, set the following in your pacman.conf:
SigLevel = PackageRequired TrustedOnly
Setting that globally causes failures with "pacman -U" and unsigned packages. So PackageRequired should only be enabled on a per repo basis at the moment. We could do a pacman update with an updated pacman.conf for people to merge to help this along. Allan
Am 30.04.2012 02:18, schrieb Allan McRae:
On 30/04/12 08:59, Gaetan Bisson wrote:
Then, set the following in your pacman.conf:
SigLevel = PackageRequired TrustedOnly
Setting that globally causes failures with "pacman -U" and unsigned packages. So PackageRequired should only be enabled on a per repo basis at the moment.
Isn't TrustedOnly the default anyway?
We could do a pacman update with an updated pacman.conf for people to merge to help this along.
Yes, we should. -- Pierre Schmitz, https://pierre-schmitz.com
[2012-04-30 10:18:36 +1000] Allan McRae:
On 30/04/12 08:59, Gaetan Bisson wrote:
Then, set the following in your pacman.conf:
SigLevel = PackageRequired TrustedOnly
Setting that globally causes failures with "pacman -U" and unsigned packages. So PackageRequired should only be enabled on a per repo basis at the moment.
Right.
We could do a pacman update with an updated pacman.conf for people to merge to help this along.
That would be great. In fact, package verification could even be enabled by default in the new pacman.conf, archlinux-keyring added as a dependency of pacman, and the news item summed up into a post-install message. Attached are a patch to our pacman package and an updated news post doing this. Comments welcome! Cheers. -- Gaetan
Am 30.04.2012 13:02, schrieb Gaetan Bisson:
In fact, package verification could even be enabled by default in the new pacman.conf, archlinux-keyring added as a dependency of pacman, and the news item summed up into a post-install message. Attached are a patch to our pacman package and an updated news post doing this. Comments welcome!
You should add the PackageRequired line to the testing repositories as well. I wonder if this would break net istnalls; or is that broken anyway by now? -- Pierre Schmitz, https://pierre-schmitz.com
[2012-04-30 13:06:11 +0200] Pierre Schmitz:
You should add the PackageRequired line to the testing repositories as well.
It is already there.
I wonder if this would break net istnalls; or is that broken anyway by now?
Ah, I haven't thought of that... Do installs try to run pacman without user intervention, and after it has been upgraded? -- Gaetan
[2012-04-30 13:11:01 +0200] Gaetan Bisson:
[2012-04-30 13:06:11 +0200] Pierre Schmitz:
I wonder if this would break net istnalls; or is that broken anyway by now?
Ah, I haven't thought of that... Do installs try to run pacman without user intervention, and after it has been upgraded?
It appears pacman only runs once, so the install succeeds. However, the install message is drown in the flood of packages, so most users will likely struggle when they run pacman next. -- Gaëtan
[2012-05-02 23:38:22 +0200] Gaetan Bisson:
However, the install message is drown in the flood of packages, so most users will likely struggle when they run pacman next.
All in all, that seems like a minor con, especially since, on top of the install message, we'll have a news post about this. It is far outweighed by the pro of bringing users' setups to the same page as ours. Attached are an updated proposed news post and pacman-4.0.3-2 release. Please do have a look and let me know if you disagree with anything. I would like to push this to [testing] in a couple of days or so. Cheers. -- Gaetan
[2012-05-31 23:07:34 +1000] Gaetan Bisson:
Attached are an updated proposed news post and pacman-4.0.3-2 release.
Since nobody objects, I'll push this to [testing] tomorrow. -- Gaetan
Am Sat, 2 Jun 2012 17:25:04 +1000 schrieb Gaetan Bisson <bisson@archlinux.org>:
[2012-05-31 23:07:34 +1000] Gaetan Bisson:
Attached are an updated proposed news post and pacman-4.0.3-2 release.
Since nobody objects, I'll push this to [testing] tomorrow.
The install msg points to a not existing news page... -Andy
[2012-06-03 10:52:10 +0200] Andreas Radke:
The install msg points to a not existing news page...
I am planning to post it just before pacman moves to [core]. -- Gaetan
On 02/06/12 17:25, Gaetan Bisson wrote:
[2012-05-31 23:07:34 +1000] Gaetan Bisson:
Attached are an updated proposed news post and pacman-4.0.3-2 release.
Since nobody objects, I'll push this to [testing] tomorrow.
How many packages need to provide the same instructions... (1/2) installing archlinux-keyring [######################] 100%
Run `pacman-key --init` to set up your pacman keyring. Then run `pacman-key --populate archlinux` to install the Arch Linux keyring. (2/2) upgrading pacman [######################] 100% warning: /etc/makepkg.conf installed as /etc/makepkg.conf.pacnew warning: /etc/pacman.conf installed as /etc/pacman.conf.pacnew Run `pacman-key --init; pacman-key --populate archlinux` to import the data required by pacman for package verification. See: https://www.archlinux.org/news/having-pacman-verify-packages
participants (4)
-
Allan McRae
-
Andreas Radke
-
Gaetan Bisson
-
Pierre Schmitz