[pacman-dev] [PATCH] Add Keyring/--keyring option in alpm/pacman
shiningxc at gmail.com
Thu Jun 19 09:54:19 EDT 2008
On Thu, Jun 19, 2008 at 3:28 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> I'll try to summarize the points a bit; this must have come up in
> private discussion but never a public forum.
> 1. Signing databases with one sig gives no way for users to distribute
> signed individual packages and have them verified by pacman.
> 2. Signing a database is a rather big deal. Do I feel comfortable
> signing off on all 2150 packages in extra every single time I sign the
> database? Not at all. What happens if we later find out one package
> was compromised? The whole chain of trust has now been broken, and
> people can't mark a particular signature as untrustworthy to prevent
> installation of a given package.
> 3. Signing what you are in control of just seems like the more correct solution.
> 4. We've found a way to do signoffs on individual packages without
> bloating the database or number of files. PGP signatures can be put in
> the database itself, so it is just another verification like md5sum.
> The biggest reason I had against signing individual packages was the
> fact that .sig files would introduce a hell of a lot of clutter.
Ok, that makes sense.
More information about the pacman-dev