[pacman-dev] Signing by default (was: [PATCH] Add Keyring/--keyring option in alpm/pacman)

Dan McGee dpmcgee at gmail.com
Tue Jun 3 07:54:48 EDT 2008


On Tue, Jun 3, 2008 at 1:59 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
> Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier:
>> We have to think about the default interaction.
>> It would be easy to sign all packages as the first step, so excepting
>> signed packages for the first pacman release including GPG support seems
>> fair to me. I think asking confirmation from the user in case packages
>> are not signed, like apt tools do.
>
> First: great work and thanks for starting the gpg-signing in pacman. Imho we
> should force devs to sign packages by default. Because the whole thing will
> become useless if only one single package in our repos is not signed.

Keep in mind that this is
1. An Arch decision, not a pacman decision
2. A policy decision, not something that should be enforced by pacman code

Enforcing this at the Arch-specific dbscripts level would be OK, but I
don't think it is wise to force makepkg/pacman to sign all packages,
especially those that are built for local use only. Some people don't
have PGP keys so this would be a pain in the ass.

-Dan




More information about the pacman-dev mailing list