[arch-general] Package signing

Linas linas_fi at ymail.com
Thu Apr 29 00:36:46 CEST 2010


Thomas Bächler wrote:
> We must have a system that allows pacman to automatically verify new
> developer keys and revoke old ones ... even more important, revoke them
> in a way that signatures made before a certain date are still accepted,
> but newer ones aren't.
> I don't see this easily being implemented with PGP-Keys, but maybe
> someone else knows more.
>   

You can't trust a package made with a compromised key just because it
looks old. That can be falsified.
Packages not affected should be resigned by another developer / the new
developers key.
I would still recompile them, though (withouth necessarily increasing
the pkgrel).

You might trust the date it if it was already in your local drive before
the
compromise date, but in such case you probably have it already installed,
so you don't need to trust check it.

Under which circunstances would you envision the need to trust an old,
compromised signature?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the arch-general mailing list