[arch-general] Updating the archlinux-keyring package
Don deJuan
donjuansjiz at gmail.com
Fri Feb 14 06:43:38 EST 2014
On 02/14/2014 03:00 AM, Plonky Duby wrote:
> I do agree with that, i switched on a laptop which was off since september
> 2013 and i had some issue with some key.
>
> I had to update key, before having a sucessfull update.
>
>
>
>
> 2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev at umail.iu.edu>:
>
>> Hi,
>>
>> Recently I had to fix a corrupted pacman db from a 3 month old
>> livecd
>> and realized that this process is not so innocent. Specifically, there is a
>> chance to get a trojaned package on the system simply because the
>> archlinux-keyring package on the iso is outdated. Of course, other similar
>> scenarios are possible, e.g. a fresh install is made from an old livecd,
>> or a
>> server is updated after several months of uptime: new packages are pulled
>> in
>> but signature checks are made using the old keyring currently on the host.
>> So, instead of relying on the discrete updates of
>> archlinux-keyring,
>> wouldn't is make more sense to have a systemd timer/cron job to frequently
>> refresh pacman keyring?
>>
>> Thanks,
>> --
>> Leonid Isaev
>> GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
>>
pacman-key --refresh-keys ??
More information about the arch-general
mailing list