[arch-general] Pacman makepkg and signatures

Leonid Isaev lisaev at umail.iu.edu
Tue Oct 25 13:44:04 EDT 2011 

On (10/25/11 10:19), Steve Holmes wrote:
-~> On 10/25/11, Denis A. Altoé Falqueto <denisfalqueto at gmail.com> wrote:
-~> >
-~> > I didn't understand what you mean by "correct the errors" and
-~> > "signature verification stuff doesn't work". Would you mind to
-~> > elaborate on that?
-~> 
-~> I meant that when I did the first updates this morning, I got an eror
-~> on every package because the key for each package (signature) wasn't
-~> valid.  I figured that meant it couldn't be verified or something.
-~> Yes, I know little about overall pgp and web of trust so have a lot to
-~> learn there.  At this point, I'm more enclined to "trust" the
-~> signatures or keys from the 12 Arch devs than anyone else right now.
-~> I really don't know of anyone with a pgp key I could assume as a
-~> trusted party.  If I'm using wrong terms here or acting ignorant, it
-~> is probably because I am:).  So for now I'm using trustall but wonder
-~> if that is generally a good idea since someone else could come along
-~> with a netharious package and blow the whole thing.

OK, remarks here:
1. Web of trust is something relevant when people actually know each other
either directly or indirectly (e.g. through mutual friends). When developers
are concerned, for any distro, this concept looses its meaning, because you
have no way of knowing them and just have to trust them. This is why the likes
fedora and debian don'teven have this TrustAll option (at least I am unaware of
such) -- the keys are trusted always. You either have to blindly trust devs key
at the gpg level, or use TrustAll.

2. Don't just import keys when pacman asks you, because this opens you to an
attack you described. Instead, import keys from the website manually and then
be cautious when pacman says that a key is invalid/missing.

3. Due to (1) TrustAll is likely to stay, but you can always replace Optional
with Required in due time.

-- 
Leonid Isaev
GnuPG key ID: 164B5A6D
Key fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20111025/2aa31c24/attachment.asc>

More information about the arch-general mailing list