[arch-general] Package signing
ngoonee at gmail.com
Thu Apr 29 00:53:12 CEST 2010
On Thu, 2010-04-29 at 00:36 +0200, Linas wrote:
> Thomas Bächler wrote:
> > We must have a system that allows pacman to automatically verify new
> > developer keys and revoke old ones ... even more important, revoke them
> > in a way that signatures made before a certain date are still accepted,
> > but newer ones aren't.
> > I don't see this easily being implemented with PGP-Keys, but maybe
> > someone else knows more.
> You can't trust a package made with a compromised key just because it
> looks old. That can be falsified.
> Packages not affected should be resigned by another developer / the new
> developers key.
> I would still recompile them, though (withouth necessarily increasing
> the pkgrel).
> You might trust the date it if it was already in your local drive before
> compromise date, but in such case you probably have it already installed,
> so you don't need to trust check it.
> Under which circunstances would you envision the need to trust an old,
> compromised signature?
New install, dev for a coupl of [extra] packages has already left the
team. Having to recompile everytime a dev leaves the team is additional
(unnecessary) hassle IMO, especially for bigger packages (openoffice and
sons, I'm looking at you).
More information about the arch-general