[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman

Xavier shiningxc at gmail.com
Thu Jun 19 05:52:49 EDT 2008


On Tue, Jun 3, 2008 at 8:59 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
> Am Dienstag 03 Juni 2008 01:46:11 schrieb Geoffroy Carrier:
>> We have to think about the default interaction.
>> It would be easy to sign all packages as the first step, so excepting
>> signed packages for the first pacman release including GPG support seems
>> fair to me. I think asking confirmation from the user in case packages
>> are not signed, like apt tools do.
>
> First: great work and thanks for starting the gpg-signing in pacman. Imho we
> should force devs to sign packages by default. Because the whole thing will
> become useless if only one single package in our repos is not signed.
>

There was a suggestion of just signing the database instead of every packages :
http://bugs.archlinux.org/task/5331?project=3
But I guess it makes more sense to have the packager sign his own
package just after creating it, and that it is more secure that way.
Is that the reason why the other simpler system was not considered? As
far as I can see, no one commented to that idea yet.




More information about the pacman-dev mailing list