[pacman-dev] [ Package Signing ] Your signature please

[IgnorantGuru]

On Sat, 19 Feb 2011 10:25:38 +0100
Pierre Schmitz <pierre at archlinux.de> wrote:

> I'd prefer to be pointed at some documents which
> describe exactly the wrokflow to sign a package with makepkg, upload
> it, add it to a db, update, replace and delete it.
> 
> Once there is a version of pacman which supports signed packages I can
> start implementing these ideas.

I think it is best not to wait for pacman - that is what is stopping this from reaching usable reality.  From the looks of it, pacman is never going to get done until the signatures are available and there's a demand for checking them.  If changes need to be made later to make the signatures (file format, etc) compatible with pacman, that should be minor, especially if it is well written.

As I said, I'm eager to write and maintain a script that checks the pkg cache signatures, at least until pacman is complete in this area, and I don't mind if the sig db format changes a few times.  But I can't check signatures when there are none to check.  So I definitely encourage the work you're talking about, and it alone will vastly improve the security situation, regardless of pacman.