[pacman-dev] Pacman 4.0.0rc2
dpmcgee at gmail.com
Thu Sep 29 22:34:59 EDT 2011
On Thu, Sep 29, 2011 at 9:23 PM, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> On Thu, Sep 29, 2011 at 6:39 PM, Dan McGee <dpmcgee at gmail.com> wrote:
>> On Thu, Sep 29, 2011 at 1:37 PM, Denis A. Altoé Falqueto
>> <denisfalqueto at gmail.com> wrote:
>>> On Thu, Sep 22, 2011 at 2:27 PM, Dan McGee <dpmcgee at gmail.com> wrote:
>>>> Please report any issues you may find with this package, as it is
>>>> getting very close to being an actual releasable version. These are
>>>> debug builds with symbols, so getting stack traces and helpful logging
>>>> should be relatively straight forward if necessary.
>>> I'm using it in a daily basis and it is very good! I just have one
>>> issue with pacman-key.
>>> I'm using --lsign-key to sign keys locally, so gpg trusts them for
>>> validating signatures. But pacman-key is confirming the process
>>> without asking me. It just feeds 'y's to gpg, so it signs the keys
>>> without I having the chance of doing manual validation of
>>> fingerprints. I think pacman-key should just let gpg handle the
>>> process, showing information about the key and asking if I agree with
>>> that. For example, if one uses --edit-key to sign keys, a manual
>>> confirmation is needed to get a key signed.
>>> Do you agree? I can send a patch, if that's the case.
>> If you want this level of control, why wouldn't you just use
>> `pacman-key --edit-key`?
> Indeed, I could. And i was, until I saw the option to sign directly.
> But I think it is important for the user to have an opportunity to
> validate the key that will be signed. It is an important operation and
> shouldn't be made in a hurry. That's why gpg itself requires the user
> to confirm before signing.
I added this operation as a helpful shortcut; I'd like it to stay
helpful (to me at least) by not wasting my time, and also being
generally useful in a script where I can't have interactivity.
If the user wants to slow down, use --edit-key, or use --list-sigs
before calling --lsign-key- we aren't forcing this down their throat
by any means.
I see --populate and --edit-key as interactive options, I never meant
for --lsign-key to be in that same boat. Does that make sense? I'd be
happy to document this better.
More information about the pacman-dev