[arch-dev-public] Keyring package for real

Pierre Schmitz pierre at archlinux.de
Sat Mar 3 15:54:20 EST 2012


I have pushed an archlinux-keyring package into [testing] so we have
something real to talk about. I revised some of my initial ideas. The
package is compatible to pacman-key --populate; it seems gpg will also
just accept a keyring that is just a bunch of keys put into one file.

The remaining issues is the install script of the actual package. Atm I
run "pacman-key --init" on install and "--populate" on upgrade. Is there
a scenario where running init might not be a good idea? It wont increase
security to let users do this manually; even worse: people might just
not do it then. So I am going with a "works out-of-the-box" experience

There are at least two problems with using pacman-key: It is extremely
verbose and it requires the keyring to be signed which will lead to a
bootstrapping problem. I started a thread about this on pacman-dev; so
if you have ideas why this signature check might not be useless let me
know there.



Pierre Schmitz, http://pierre-schmitz.com

More information about the arch-dev-public mailing list