[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

[Denis A. Altoé Falqueto]

On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry
<chantry.xavier at gmail.com> wrote:
> On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar <ananda at samaddar.co.uk> wrote:
>>
>> This is the reason why we need package signing for Pacman.  I'm aware
>> that some progress has been made and it's being worked on.  Are there
>> any updates?
>>
>
> It's all there : http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg
> and there :
> http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman
>
> Come back to us when everything is implemented and working :)
>
> You can also read the last thread :
> http://mailman.archlinux.org/pipermail/arch-general/2010-April/012897.html
> And contact Denis A. Altoé Falqueto about pacman-key and all the rest,
> and maybe Aleksis Jauntēvs too
>
> Basically there is no one leading and coordinating these efforts, just
> various people who pushed it a bit at random time in the past, and got
> quickly de-motivated by the lack of interest from everyone else.

Yes, it's basically true. I'm ye a little motivated. I just don't have
the time right now to do anything. I think I'll push pacman-key and
some other things to the project on gitorious
(http://gitorious.org/pacman-pkgsig). It is a fork of the sig branch
of Allan's git repository, so that we can test things without the need
to have commit rights on Allan's repo.

Anyway, I'm trying to find some time to work on it as soon as
possible, but I can't promise anything. This is my first time working
with C in a big implementation, so this is other problem to deal with.

And keep in mind that package signing per se will not solve this kind
of problems. Repository database signing is more important for that
solution, but is a problem in the current workflow of Arch developers.

-- 
-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------