[pacman-dev] [PATCH 1/2] Documented SigLevel in pacman.conf.5.txt

Dave Reisner d at falconindy.com
Mon Jul 18 00:26:51 EDT 2011


On Sun, Jul 17, 2011 at 11:06:29PM -0500, Kerrick Staley wrote:
> Added the documentation for the SigLevel to pacman.conf.5.txt; the code
> that implements this will be put into place with the next commit.
> 

A general comment -- we write our commit messages in the present tense,
rather than the past. You'll find that this is a general trend across
most git repos.

> Signed-off-by: Kerrick Staley <mail at kerrickstaley.com>
> ---
>  doc/pacman.conf.5.txt |   24 ++++++++++++++++++++++++
>  1 files changed, 24 insertions(+), 0 deletions(-)
> 
> diff --git a/doc/pacman.conf.5.txt b/doc/pacman.conf.5.txt
> index a28e00f..349e4f7 100644
> --- a/doc/pacman.conf.5.txt
> +++ b/doc/pacman.conf.5.txt
> @@ -156,6 +156,30 @@ Options
>  	packages are only cleaned if not installed locally and not present in any
>  	known sync database.
>  
> +*SigLevel =* ...::
> +	If set to `Never` (the default), signatures won't ever be

We're putting all this work into package signing, and we're not going to
enable it by default? Certainly requiring full trust of all packages and
DBs isn't realistic for launch day, but if the sig is available, we
should be checking it by default.

> +	checked. Conversely, `Required` will require signatures on all packages
> +	and databases. `PackageHash` will require database signatures but accept
> +	any package as long as the corresponding database gives a secure hash for
> +	it (a good compromise when signing every package is too difficult for a
> +	distribution's maintainers).
> +	A more advanced setting is `Optional`, which will perform signature checks
> +	if signatures are present but will allow unsigned databases/packages; this
> +	can be useful when a distribution is making a transition from unsigned
> +	repositories to signed ones.
> +	For advanced configuration, you can list any of the settings described
> +	hereafter, but the options can't be contradictory; `PackageHash` may also
> +	be included in the list. `PackageRequired` and `DatabaseRequired` work
> +	like `Required`, but only cause checks to be performed on packages and
> +	databases, respectively; `Required` is equivalent to `PackageRequired
> +	DatabaseRequired` with no other options. `PackageOptional` works
> +	similarly to `PackageRequired`, and the two cannot be specified together;
> +	`DatabaseOptional` works similarly for databases. `PackageMarginal`
> +	causes signatures from marginally trusted keys to be accepted on packages;
> +	`DatabaseMarginal` works similarly for databases. `PackageUnknown`
> +	causes signatures made with an unknown key to be accepted on packages;
> +	`DatabaseMarginal` works similarly for databases.
> +

Surely there's a typo somewhere in here near the end...

>  *UseSyslog*::
>  	Log action messages through syslog(). This will insert log entries into
>  	+{localstatedir}/log/messages+ or equivalent.
> -- 
> 1.7.6
> 

I'm going to leave a full grammar review to someone else who can do a more
precise job than I can.

dave



More information about the pacman-dev mailing list