[arch-general] Package signing
Denis A. Altoé Falqueto
denisfalqueto at gmail.com
Thu Apr 29 03:17:23 CEST 2010
On Wed, Apr 28, 2010 at 6:37 PM, Linas <linas_fi at ymail.com> wrote:
> I wrote about this topic ~1 month ago.
> You don't need PKCis or distribute the keyrings themselves. GPG supports
> transitive trust.
> The pacman keyring would be installed by default trusting on whatever keys
> a pacman root signature has signed (there could also be a different master
> key for community developers).
> The basic idea here is that you are not trusting the repository, but the
> individuals themselves.
> The master key -which can be kept offline and is only used when a
> developer joins/part- provides a basic default (people we generally trust)
> but a power user could reconfigure it to not accept packages signed by
> Pierre, because he distrusts him :), or he can add additional trusted
> people (a much more likely scenario) by just adding that person key to its
> keyring.
Hi, Linas.
Yes, you are right. I'm reading about the transitive trust scheme and
it really solves the most of our problems. For the interested, here
comes an interesting explanation:
http://www.apache.org/dev/openpgp.html#wot-verifying-links
About the other comments, in fact, the web of trust explained in the
link is the correct implementation of what I've thought.
I'll drat a workflow and return in a while.
--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------
More information about the arch-general
mailing list