[arch-dev-public] Keyring package for real

Pierre Schmitz pierre at archlinux.de
Sun Feb 19 18:38:33 EST 2012

Am 20.02.2012 00:05, schrieb Gaetan Bisson:
> I do not understand the purpose of this tree. Actual key verification
> happens when a user lsigns certain keys of their keyring, why do it
> here? Our public key infrastructure can cope perfectly well with a
> keyring package shipping corrupted keys, so long as users do some
> verification before lsigning the master keys.

Sure the verification in the update script is technically not needed.
This is more a QA check for the package maintainer. And I'd also think
it'll be good practice to ensure the the package only contains valid and
fully trusted keys.

> If you feel our public key infrastructure needs more security, it should
> be added down in the infrastructure itself rather than convenience
> layers such as the keyring package.
> Since that tree duplicates information from archweb and data that I
> thought we agreed to let keyservers handle, I would consider much
> simpler and convenient to generate the list of packagers from archweb
> and retrieve the corresponding keys from a keyserver as we go in the
> build() function of the package.

The keyids come from archweb (maybe we can have a simple export later).
We also download missing keys from the keyservers. Imho it's nice to
have a local copy independent from any third party services. But sure,
some of this design decisions are a matter of taste and we could even
change it as we go. Imho it's more important to concentrate things that
really matter here.

Pierre Schmitz, http://pierre-schmitz.com

More information about the arch-dev-public mailing list