[pacman-dev] [PATCH 1/5] pacman-key: keyring management tool

Allan McRae allan at archlinux.org
Thu Sep 23 00:36:54 EDT 2010

On 23/09/10 11:38, Denis A. Altoé Falqueto wrote:
> On Wed, Sep 22, 2010 at 6:20 PM, Allan McRae<allan at archlinux.org>  wrote:
>>> We could have an option in pacman.conf that indicates which keys must
>>> be kept, even if in the list of removed keys. For example, an option
>>> called HoldKeys, in the same spirit of HoldPkg.
>>> Do you agree with the need and solution?
>> Just because a developer leaves, does not make his old packages unsafe.  So
>> we really do not want to be rebuilding everything just to resign them.  I
>> think that removing of a key needs to be handled more gracefully at a
>> distribution level rather than immediately removing the key.
>> Saying that, the case of a developer leaving but still hosting a third party
>> repo is interesting and probably needs some work around such as you have
>> pointed out.  The pacman.conf options seems reasonable.  But how about
>> having a system like:
>> addedkeys - key currently being used to sign packages
>> depricatedkeys - keys previously used to sign packages but still safe
>> removedkeys - keys that have been revoked.
>> I guess these are the sort of things that we will discover with some real
>> world usage.
> Yes, I agree. I'll try to implement the option and what you propose,
> because it will give a better organization. So, the operation of
> reloading could be summarized as:
> keyring = (added keys + deprecated keys) - (removed keys - kept keys)
>> Also, I just noticed:
>>         local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
>>         local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
>> The file extension is not consistent.
> Yes, it is kind of intentional :) it needs some explanation.
> The added keys must be a file with the complete public key that is
> being imported, of course. But the removed keys don't need to. In the
> current implementation, it is only a list of key identifiers and the
> added keys are a real keyring, not just an export of a set of keys.
> This seems contrived at first, as I thought when I saw it in apt-get,
> but later I saw the purpose of it. We can manipulate the added keys
> and select which ones will be imported. The above "equation" is an
> example of such manipulation.
> We can also change the extensions. I don't have a problem with that.
> But this explanation may help the decision.

I am not particularly worried here, and is a relatively minor thing that 
can be adjusted later anyway.

Also, we will need to have those file names listed in the pacman-key man 


More information about the pacman-dev mailing list