[arch-general] [arch-dev-public] Can we trust our mirrors?
Gerhard Brauer
gerhard.brauer at web.de
Sat Nov 29 20:06:51 EST 2008
Am Sun, 30 Nov 2008 01:20:13 +0100
schrieb Gerhard Brauer <gerhard.brauer at web.de>:
> Am Sat, 29 Nov 2008 17:24:19 -0600
> schrieb "Aaron Griffin" <aaronmgriffin at gmail.com>:
> >
> > All we'd need is to patch repo-add to include signature data in the
> > DB. To do this properly, signatures should be uploaded with the
> > package itself, from the packager's machine... hmmm
>
> In the starting mail on arch-dev-public Pierre attached a quick patch
> and download script that i have tested with my own repo. This is
> working in this way that a whatever modified database file don't get
> installed as new data during -Syu when the signature could not be
> verified. No new database -> no new packages.
I think i misunderstood Aaron part. He mentioned that repo-add should
also add the "signature data" to the db.
Maybe we don't need special data to verify a package against a valid
signature.
We could sign a package inline, that means the tar.gz is enveloped by a
signature (default --sign option). After/during verifying the tar.gz
could be seperated from the signature with --output. The disadvantage
with this methode is maybe that the package archiv could not be used
directly without verifying it.
On the other side we sign with --detach-sign which provides a .sig File
releated to the signed pkg.tar.gz. Upload (and pacman download) then
must handle two files.
Database signature entries: Maybe we could use existing fields to get
the proper key id from the public keyring to verify. Email oder
packager data. But this could be only done when package is always and
only signed by it's maintainer - and AFAIK we have situations where one
developer build packages for a other.
So you're right: the key id oder fingerprint of the actually
developer/packager/signer must be store in the database file to get the
proper key id.
Regards
Gerhard
More information about the arch-general
mailing list