[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman

[Dan McGee]

On Thu, Jun 19, 2008 at 7:26 AM, Geoffroy Carrier
<geoffroy.carrier at koon.fr> wrote:
> Excerpts from Xavier Chantry's message of Thu Jun 19 11:52:49 +0200 2008:
>> There was a suggestion of just signing the database instead of every packages :
>> http://bugs.archlinux.org/task/5331?project=3
>> But I guess it makes more sense to have the packager sign his own
>> package just after creating it, and that it is more secure that way.
>> Is that the reason why the other simpler system was not considered? As
>> far as I can see, no one commented to that idea yet.
> Who would sign it? Aaron Griffin? What does he sign? How can he be
> sure that it's not corrupted? Does he have to move through every dev's
> house to physically get each part of what he signs?

I'll try to summarize the points a bit; this must have come up in
private discussion but never a public forum.
1. Signing databases with one sig gives no way for users to distribute
signed individual packages and have them verified by pacman.
2. Signing a database is a rather big deal. Do I feel comfortable
signing off on all 2150 packages in extra every single time I sign the
database? Not at all. What happens if we later find out one package
was compromised? The whole chain of trust has now been broken, and
people can't mark a particular signature as untrustworthy to prevent
installation of a given package.
3. Signing what you are in control of just seems like the more correct solution.
4. We've found a way to do signoffs on individual packages without
bloating the database or number of files. PGP signatures can be put in
the database itself, so it is just another verification like md5sum.
The biggest reason I had against signing individual packages was the
fact that .sig files would introduce a hell of a lot of clutter.

-Dan