[arch-general] [arch-dev-public] Can we trust our mirrors?
Thomas Bächler
thomas at archlinux.org
Sun Nov 30 07:20:54 EST 2008
Aaron Griffin schrieb:
> When I last spoke to Dan, the biggest issue here was that gpg doesn't
> have a library interface. We'd have to call the binary directly from
> pacman.
1) There is gpgme! But what does it do? It calls the gpg command line
tool (iirc).
2) So what? Let's use gnutls or openssl. We could create an arch root
certificate and sign the developers' keys with it, and use RSA or (my
preference) DSA signatures. Then you can do it all on a library level.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://archlinux.org/pipermail/arch-general/attachments/20081130/51e7a4b8/attachment.pgp>
More information about the arch-general
mailing list