[arch-general] Unknown Trust and Corrupted Package

Emil Lundberg lundberg.emil at gmail.com
Mon Jan 25 08:58:34 UTC 2016


>
> > Looks like people tend to forget about updating pacman keyring.
> >
> >     pacman-key --refresh-keys
>
> is'n this done automatically? should it?
>

I personally can't see how it (an upgrade hook in a package) could. The
pacman-keyring package can (and does) do some maintenance operations on
upgrades, but things like OP's issue (I noticed the same thing as well) is
more likely to occur due to a completely unrelated package coming with
signatures from a new key without the pacman-key package being touched.

What could be done would be to make pacman automatically download any and
all needed keys without user intervention. This shouldn't be a security
issue since the web of trust should still be enforced (i.e. this wouldn't
mean you'd just blindly trust random keys, just that pacman would do the
equivalent of `pacman-key --refresh` when necessary). I don't know if this
has already been considered and rejected by the pacman devs.

>


More information about the arch-general mailing list