[arch-dev-public] Keyring package for real

Gaetan Bisson bisson at archlinux.org
Sun Feb 19 18:05:49 EST 2012

[2012-02-19 17:18:51 +0100] Pierre Schmitz:
> As a result I created a git repo which is meant to store all
> packager and master keys:
> https://projects.archlinux.org/archlinux-keyring.git/ The advantage
> over
> putting these files directly into svn is that we could use a cleaner
> layout with subdirs, sign tags and verify the source. The result is a
> (signed) tarball which can be used in the actual package which would
> contain additional logic. The keyids are exported from archweb.

I do not understand the purpose of this tree. Actual key verification
happens when a user lsigns certain keys of their keyring, why do it
here? Our public key infrastructure can cope perfectly well with a
keyring package shipping corrupted keys, so long as users do some
verification before lsigning the master keys.

If you feel our public key infrastructure needs more security, it should
be added down in the infrastructure itself rather than convenience
layers such as the keyring package.

Since that tree duplicates information from archweb and data that I
thought we agreed to let keyservers handle, I would consider much
simpler and convenient to generate the list of packagers from archweb
and retrieve the corresponding keys from a keyserver as we go in the
build() function of the package. And there should be no need to manually
verify anything but the master keys: if there is, that would be a flaw
in GPG and/or the use pacman makes of it, not the keyring package.



More information about the arch-dev-public mailing list