[arch-general] Pacman makepkg and signatures

Allan McRae allan at archlinux.org
Tue Oct 25 15:38:23 EDT 2011

On 26/10/11 04:38, Denis A. Altoé Falqueto wrote:
> On Tue, Oct 25, 2011 at 3:44 PM, Leonid Isaev<lisaev at umail.iu.edu>  wrote:
>> OK, remarks here:
>> 1. Web of trust is something relevant when people actually know each other
>> either directly or indirectly (e.g. through mutual friends). When developers
>> are concerned, for any distro, this concept looses its meaning, because you
>> have no way of knowing them and just have to trust them. This is why the likes
>> fedora and debian don'teven have this TrustAll option (at least I am unaware of
>> such) -- the keys are trusted always. You either have to blindly trust devs key
>> at the gpg level, or use TrustAll.
>> 2. Don't just import keys when pacman asks you, because this opens you to an
>> attack you described. Instead, import keys from the website manually and then
>> be cautious when pacman says that a key is invalid/missing.
>> 3. Due to (1) TrustAll is likely to stay, but you can always replace Optional
>> with Required in due time.
> The trust problem is complex, indeed, but we can at least mitigate it
> doing the following (it's what I do):
> 1. set TrustedOnly, instead of TrustAll
> 2. import the keys when pacman asks
> 3. # pacman-key --edit-key<email or id for key>. That will open a gpg session.
> 4. go to http://www.archlinux.org/developers/ and/or
> http://www.archlinux.org/trustedusers/ to check the new signatures
> 5. sign the key, checking if the fingerprint is correct, according to
> the websites from step 4
> 5. perform save to apply the changes
> That way, one can be a little more secure when trusting the keys. The
> point is always checking with different places. Today, there are the
> keyservers and the Arch developer info pages. Some day, there could be
> more options (read-only wiki page, fixed BBS posts), so if one is
> compromised, the others can serve as checkpoints for integrity.
> IMHO, I don't like TrustAll very much (and the equivalents concepts in
> other distributions). It takes the responsibility from the users, who
> are the ultimate decision makers of their systems. But that is just my
> opinion (not an invitation to a long pointless discussion). We have
> options enough to satisfy everyone.

This is something that will be improved over time...  Although it is not 
finally decided yet, there will likely be a limited number of Arch 
master keys that a user would have to verify, import and locally sign. 
These would be very widely published so the user has confidence they are 
importing the correct key.  The master keys would then be used to sign 
all the devs keys, so the dev keys become trusted through the web of 
trust rather than having to manually trust them.

But all this takes time.  We will get there eventually...


More information about the arch-general mailing list