[pacman-dev] [PATCH 1/3] Changed all references to signature verification level in libalpm symbols to 'verifysig'. Removed references to PGP in libalpm symbols. Signed-off-by: Kerrick Staley <mail at kerrickstaley.com>

Dan McGee dpmcgee at gmail.com
Wed Jun 1 16:50:00 EDT 2011 

On Wed, Jun 1, 2011 at 3:46 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> ^^^ You deleted the blank line between the patch subject and the
> summary text, which makes it do what it did. You'll want to put that
> back.
>
> On Wed, Jun 1, 2011 at 3:03 PM, Kerrick Staley <mail at kerrickstaley.com> wrote:
>
> So I don't find VerifySig any more appitizing, other than matching the
> option name we came up with. I was leaning in my head when I wrote up
> this TODO toward something like GPGLevel, SigLevel, etc. I also think
> we may need to be a bit more granular than our current
> Always/Optional/Never trifecta. We have a multitude of possibilities
> when checking a signature:
>
> * Valid signature, fully trusted (or ultimate,
> (GPGME_VALIDITY_{ULTIMATE, FULL}).
>
> * Valid signature, unknown trust/unknown key (GPGME_VALIDITY_UNKNOWN,
> GPGME_SIGSUM_KEY_MISSING).
> * Valid signature, trust somewhere in between (marginal,
> GPGME_VALIDITY_MARGINAL).
>
> * Valid signature, user is never valid (GPGME_VALIDITY_NEVER)
> * Valid signature, signature is however expired (GPGME_SIGSUM_SIG_EXPIRED)
> * Valid signature, key is however expired (GPGME_SIGSUM_KEY_EXPIRED)
> * Bad signature, trust level is irrelevant (GPGME_VALIDITY_RED)
>
> Thoughts from anyone else on the naming, as well as what to do as far
> as expanded options? I've divided it above into roughly 3 categories,
> of which the top would always be acceptable, the bottom would never,
> and the middle could be a switchable option. I'm envisioning something
> like:
>
> SigLevel = Always AllowUnknown
>
> [core]
> SigLevel = Always
>
> [otherrepo]
> SigLevel = Optional AllowUnknown

I should also add that the ability to have a signed database without
signed packages could be done this same way; e.g. "SigLevel =
NoPackages" or something (maybe even a corresponding "NoDatabase").

More information about the pacman-dev mailing list