[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman

Geoffroy Carrier geoffroy.carrier at koon.fr
Thu Jun 19 08:26:03 EDT 2008


Excerpts from Xavier Chantry's message of Thu Jun 19 11:52:49 +0200 2008:
> There was a suggestion of just signing the database instead of every packages :
> http://bugs.archlinux.org/task/5331?project=3
> But I guess it makes more sense to have the packager sign his own
> package just after creating it, and that it is more secure that way.
> Is that the reason why the other simpler system was not considered? As
> far as I can see, no one commented to that idea yet.
Who would sign it? Aaron Griffin? What does he sign? How can he be
sure that it's not corrupted? Does he have to move through every dev's
house to physically get each part of what he signs?

-- 
Geoffroy Carrier
http://gcarrier.koon.fr/




More information about the pacman-dev mailing list