[pacman-dev] [arch-general] Package signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri May 7 19:57:01 CEST 2010

On Fri, May 7, 2010 at 9:28 AM, Aleksis Jauntēvs
<aleksis.jauntevs at gmail.com> wrote:
> Still thinking further - if the signatures are updated with pacman-keyring
> package, what if user doesn't update often and skips one or more versions of
> this package? Does this means that user still will have some unremoved
> signatures in his pacman keyring? Correct me if I understand this wrong.

The nomenclature for the "added" keys file is not really the best. The
idea is that it would be the set of current valid keys. So, the
updatedb process would just be: current keyring - deleted keys + valid

When a key is approved, it goes to the set of valid keys and stays
there until it is revoked or disabled by moving it to the deleted keys
set. So, even if a user miss a pacman-keyring package update, the next
will still contain all valid keys and the result will be correct.

> And other question, if some developers key becomes invalid, how to deal with
> all packages in the repos signed with this signature?

I think they should be at least re-signed by a valid dev key. Maybe,
if some package was compromised, it should be rebuilt and re-signed by
a valid dev key.

A: Because it obfuscates the reading.
Q: Why is top posting so bad?

Denis A. Altoe Falqueto

More information about the pacman-dev mailing list