[arch-general] Updating the archlinux-keyring package
Leonid Isaev
lisaev at umail.iu.edu
Thu Feb 13 14:21:25 EST 2014
Hi,
Recently I had to fix a corrupted pacman db from a 3 month old livecd
and realized that this process is not so innocent. Specifically, there is a
chance to get a trojaned package on the system simply because the
archlinux-keyring package on the iso is outdated. Of course, other similar
scenarios are possible, e.g. a fresh install is made from an old livecd, or a
server is updated after several months of uptime: new packages are pulled in
but signature checks are made using the old keyring currently on the host.
So, instead of relying on the discrete updates of archlinux-keyring,
wouldn't is make more sense to have a systemd timer/cron job to frequently
refresh pacman keyring?
Thanks,
--
Leonid Isaev
GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140213/8f765b5a/attachment.asc>
More information about the arch-general
mailing list