[pacman-dev] [PATCH] GPG signature option in makepkg
Geoffroy Carrier
geoffroy.carrier at koon.fr
Sun Jun 1 21:12:02 EDT 2008
Excerpts from Geoffroy Carrier's message of Mon Jun 02 03:04:40 +0200 2008:
> From: Geoffroy Carrier <geoffroy.carrier at koon.fr>
And this guy could explain what he does...
Sorry, I'm still learning git. Dozens of thanks to toofishes: without
him, this patch might still be in my computer, or not, but never here.
My idea is that devs could sign packages in the main repos. Those
signatures would be embedded into the db file. [core] could include
some 'archlinux-keyring', which would provide
/etc/pacman.d/archlinux-keyring. Adapt this to any other distribution,
BTW.
For pacman's options, at least 3 choices are possible:
- An option to disable signatures checks or specificy the keyring
- The same thing, repository-based (you can use a different keyring for
each repository)
- An option to enable/disable signatures checks, and then pacman
interactively prompts the user whether he trusts or not the packager.
It could automatically get the key when it doesn't have it, and use
gnupg's web of trust. Then archlinux-keyring would be useless.
It's theorically the best solution, but I prefer the first two ones.
--
Geoffroy Carrier
http://gcarrier.koon.fr/
More information about the pacman-dev
mailing list