[arch-general] Pacman makepkg and signatures
Steve Holmes
steve.holmes88 at gmail.com
Tue Oct 25 16:26:11 EDT 2011
On 10/25/11, Denis A. Altoé Falqueto <denisfalqueto at gmail.com> wrote:
> The trust problem is complex, indeed, but we can at least mitigate it
> doing the following (it's what I do):
>
> 1. set TrustedOnly, instead of TrustAll
> 2. import the keys when pacman asks
> 3. # pacman-key --edit-key <email or id for key>. That will open a gpg
> session.
> 4. go to http://www.archlinux.org/developers/ and/or
> http://www.archlinux.org/trustedusers/ to check the new signatures
> 5. sign the key, checking if the fingerprint is correct, according to
> the websites from step 4
> 5. perform save to apply the changes
>
> That way, one can be a little more secure when trusting the keys. The
> point is always checking with different places. Today, there are the
> keyservers and the Arch developer info pages. Some day, there could be
> more options (read-only wiki page, fixed BBS posts), so if one is
> compromised, the others can serve as checkpoints for integrity.
>
> IMHO, I don't like TrustAll very much (and the equivalents concepts in
> other distributions). It takes the responsibility from the users, who
> are the ultimate decision makers of their systems. But that is just my
> opinion (not an invitation to a long pointless discussion). We have
> options enough to satisfy everyone.
Thanks for the suggested steps. That tells me a bit more about the
process. I may give that a try fairly soon.I've done very little with
pgp; just setup a personal pgp key pair several years ago and use it
with some of my e-mail but other than that, just pretty much left it
alone. It seemed like any time I read much about this encryption
stuff, it seemed to rise right up way over my head. I suppose I
should try and get my head more around this encryption stuff sooner
than later.
More information about the arch-general
mailing list