[arch-general] Package signing: database signatures?
Florian Pritz
bluewind at xinu.at
Mon Mar 5 04:42:15 EST 2012
On 05.03.2012 10:39, Christian Hesse wrote:
> Hello everybody,
>
> afaik, database files in official repositories are not signed yet. Are they?
>
> This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if
> anybody wants to provide an infected package he/she only needs to provide no
> signature at all and the package is happily accepted, no?
>
> So when will database files from official packages be signed?
>
> And even more interesting: Does it make sense to add a new option
> 'PkgRequired'? This could force valid signatures for packages and make it
> optional for database files.
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING"
and use "Optional PackageRequired"
--
Florian Pritz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120305/24541211/attachment.asc>
More information about the arch-general
mailing list