[pacman-dev] gnupg package signing

Dan McGee dpmcgee at gmail.com
Mon Aug 24 19:19:44 EDT 2009


On Mon, Aug 24, 2009 at 5:28 PM, Xavier<shiningxc at gmail.com> wrote:
> On Tue, Aug 25, 2009 at 12:19 AM, Allan McRae<allan at archlinux.org> wrote:
>> Xavier wrote:
>>>
>>> Just to let you know that I resurrected the gpg branch there :
>>> http://code.toofishes.net/cgit/xavier/pacman.git/log/?h=gpg
>>>
>>> I took Dan's newgpg branch (with a few changes) :
>>> http://code.toofishes.net/cgit/dan/pacman.git/commit/?h=newgpg
>>> then merged the pending patches we had :
>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007808.html
>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007836.html
>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007837.html
>>> and rebased it all on master.
>>>
>>> Actually I don't see what else needs to be done on the implementation
>>> side, it looks almost complete to me.
>>>
>>> Now the big remaining problem is everything related to key
>>> administration still needs to be figured out, and this is critical in
>>> term of security.
>>> But it might not need additional tool support.
>>>
>>
>> So...   how about we set up a small signed package repo somewhere and just
>> see how this all goes?  We are not going to know all the issues until we
>> actually use it.
>>
>
> That's probably a good idea.
> I wish some people who actually knew how to use gnupg a bit could help though :)

I did a whole lot of looking and working on this today while sitting
in the jury waiting room (and woo, I got picked to be on a jury, meh).
I've actually worked my way back through the original patches and am
about halfway through what Xavier has on his branch, and I've actually
added another 3 or 4 patches to the mix. I'll try to push the
"results" somewhere public tonight. I do feel the momentum on this
whole thing actually moving in the right direction, however, so that
is awesome.

Hopefully I will be able to continue the patch processing and tidying
and keep looking at this throughout the week.

-Dan


More information about the pacman-dev mailing list