[pacman-dev] gnupg package signing
Allan McRae
allan at archlinux.org
Mon Aug 24 18:19:37 EDT 2009
Xavier wrote:
> Just to let you know that I resurrected the gpg branch there :
> http://code.toofishes.net/cgit/xavier/pacman.git/log/?h=gpg
>
> I took Dan's newgpg branch (with a few changes) :
> http://code.toofishes.net/cgit/dan/pacman.git/commit/?h=newgpg
> then merged the pending patches we had :
> http://archlinux.org/pipermail/pacman-dev/2008-December/007808.html
> http://archlinux.org/pipermail/pacman-dev/2008-December/007836.html
> http://archlinux.org/pipermail/pacman-dev/2008-December/007837.html
> and rebased it all on master.
>
> Actually I don't see what else needs to be done on the implementation
> side, it looks almost complete to me.
>
> Now the big remaining problem is everything related to key
> administration still needs to be figured out, and this is critical in
> term of security.
> But it might not need additional tool support.
>
So... how about we set up a small signed package repo somewhere and
just see how this all goes? We are not going to know all the issues
until we actually use it.
Allan
More information about the pacman-dev
mailing list