[pacman-dev] gnupg package signing
Dan McGee
dpmcgee at gmail.com
Tue Aug 25 07:24:39 EDT 2009
On Mon, Aug 24, 2009 at 6:19 PM, Dan McGee<dpmcgee at gmail.com> wrote:
> On Mon, Aug 24, 2009 at 5:28 PM, Xavier<shiningxc at gmail.com> wrote:
>> On Tue, Aug 25, 2009 at 12:19 AM, Allan McRae<allan at archlinux.org> wrote:
>>> Xavier wrote:
>>>>
>>>> Just to let you know that I resurrected the gpg branch there :
>>>> http://code.toofishes.net/cgit/xavier/pacman.git/log/?h=gpg
>>>>
>>>> I took Dan's newgpg branch (with a few changes) :
>>>> http://code.toofishes.net/cgit/dan/pacman.git/commit/?h=newgpg
>>>> then merged the pending patches we had :
>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007808.html
>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007836.html
>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007837.html
>>>> and rebased it all on master.
>>>>
>>>> Actually I don't see what else needs to be done on the implementation
>>>> side, it looks almost complete to me.
>>>>
>>>> Now the big remaining problem is everything related to key
>>>> administration still needs to be figured out, and this is critical in
>>>> term of security.
>>>> But it might not need additional tool support.
>>>>
>>>
>>> So... how about we set up a small signed package repo somewhere and just
>>> see how this all goes? We are not going to know all the issues until we
>>> actually use it.
>>>
>>
>> That's probably a good idea.
>> I wish some people who actually knew how to use gnupg a bit could help though :)
>
> I did a whole lot of looking and working on this today while sitting
> in the jury waiting room (and woo, I got picked to be on a jury, meh).
> I've actually worked my way back through the original patches and am
> about halfway through what Xavier has on his branch, and I've actually
> added another 3 or 4 patches to the mix. I'll try to push the
> "results" somewhere public tonight. I do feel the momentum on this
> whole thing actually moving in the right direction, however, so that
> is awesome.
>
> Hopefully I will be able to continue the patch processing and tidying
> and keep looking at this throughout the week.
Remember only half of the patches are there:
http://code.toofishes.net/cgit/dan/pacman.git/log/?h=gpg
More information about the pacman-dev
mailing list