[arch-general] Package signing: database signatures?

Christian Hesse list at eworm.de
Mon Mar 5 04:52:33 EST 2012


Florian Pritz <bluewind at xinu.at> on Mon, 05 Mar 2012 10:42:15 +0100:
> On 05.03.2012 10:39, Christian Hesse wrote:
> > Hello everybody,
> > 
> > afaik, database files in official repositories are not signed yet. Are
> > they?
> > 
> > This forces one to set SigLevel to 'Optional' instead of 'Required'. Now
> > if anybody wants to provide an infected package he/she only needs to
> > provide no signature at all and the package is happily accepted, no?
> > 
> > So when will database files from official packages be signed?
> > 
> > And even more interesting: Does it make sense to add a new option
> > 'PkgRequired'? This could force valid signatures for packages and make it
> > optional for database files.
> 
> You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING"
> and use "Optional PackageRequired"

I misread the lines about combining of the options and prefixes.
My fault, I am perfectly happy now. ;)

Sorry for the noise!
-- 
Best regards,
Chris
                         O< ascii ribbon campaign
                   stop html mail - www.asciiribbon.org


More information about the arch-general mailing list