[pacman-dev] pacman-key imports and key trust levels

Ray Kohler ataraxia937 at gmail.com
Fri Mar 25 23:52:28 EDT 2011

On Fri, Mar 25, 2011 at 11:40 PM, Ray Kohler <ataraxia937 at gmail.com> wrote:
> While I'm talking about signing stuff - I noticed an open question on
> what to do with the downloaded DB if sig verification fails. I suggest
> it be deleted, and the sig be deleted also. These are generally small
> files, and it feels really wrong to keep a file "live" on my disk
> which has been declared untrustworthy.

After a little more thought, probably it would be better to treat it
like a bad package download, and ask the user if it should be deleted
or not. The sig file is deleted before each download attempt anyway,
so it can probably just stay there.

More information about the pacman-dev mailing list