[arch-general] Updating the archlinux-keyring package

Plonky Duby plonky at gmail.com
Fri Feb 14 06:00:43 EST 2014

I do agree with that, i switched on a laptop which was off since september
2013 and i had some issue with some key.

I had to update key, before having a sucessfull update.

2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev at umail.iu.edu>:

> Hi,
>         Recently I had to fix a corrupted pacman db from a 3 month old
> livecd
> and realized that this process is not so innocent. Specifically, there is a
> chance to get a trojaned package on the system simply because the
> archlinux-keyring package on the iso is outdated. Of course, other similar
> scenarios are possible, e.g. a fresh install is made from an old livecd,
> or a
> server is updated after several months of uptime: new packages are pulled
> in
> but signature checks are made using the old keyring currently on the host.
>         So, instead of relying on the discrete updates of
> archlinux-keyring,
> wouldn't is make more sense to have a systemd timer/cron job to frequently
> refresh pacman keyring?
> Thanks,
> --
> Leonid Isaev
> GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D

More information about the arch-general mailing list