[arch-general] Time for new release?
dennis at archlinux.org
Sun Jun 17 15:52:41 EDT 2012
On Sun, Jun 17, 2012 at 09:25:25PM +0200, Geoffroy PLANQUART wrote:
> I noticed that every time I set up a new VM, I have to manually run the
> `pacman-key --init' and `pacman-key --populate archlinux'.
> Wouldn't it be time to set up a new installation release? Thus new users
> wouldn't have to bother about pacman recent changes, and moreover the basic
> install would be kept simple, ready to use.
I'm maintaining a development VM at work based on Arch, and encountered the
same issue; Everyone installing one of these VMs for the first time has to do
the key generation dance, which is made worse by the fact that a VM doesn't
tend to generate lots of entropy in the first place.
However: Distributing a pacman keychain master key to more than one machine is
rarely a sensible solution. If you actually want the very specific additional
security checks offered by only allowing signed packages, you must ensure a
properly secured master key with a diligently confirmed web of trust. If the
private master key, which is being generated with --init, leaks, it is trivial
for a hypothetical attacker to directly sign manipulated packages with this
key, which basically invalidates the security benefit signed packages are
supposed to offer.
If you do not need signed packages, anyway, just switch off the signature logic
in your pacman.conf with SigLevel = Never and don't bother with key management
at all. It all depends on your setup and requirements.
Of course a fresher installation medium surely would be nice to have,
especially for VM setup, although there are quicker ways than a bootable CD to
get an up to date VM running with Arch, do not expect key management to ever
run out of the box. It's not supposed to, as it's highly individual.
More information about the arch-general