[pacman-dev] [PATCH 2/2] pacman-key: make sure we actually use the Web of Trust, which GnuPG doesn't.

Eli Schwartz eschwartz at archlinux.org
Mon Oct 7 02:53:38 UTC 2019


On 10/6/19 10:42 PM, Allan McRae wrote:
>> +	if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then
>> +		add_gpg_conf_option "$conffile" 'keyserver-options' 'no-self-sigs-only,no-import-clean'
> 
> Doesn't import-clean actually do what we want?   Strips signatures from
> keys not in the keyring?  Assuming users are not setting up the initial
> keyring by importing keys manually...

Hmm, on second thought you're right. no-self-sigs-only will prevent the
main thing that annoys us, which is getting rid of sigs we want because
we have the WoT keys which match it.

no-import-clean would return us to feature parity with the older gnupg
releases, but that's not the fundamental goal, and the only benefit it
would get us is being able to later on import a master key and have it
validate, which seems like an unlikely event. Anyway, it seems like
refreshing that key would re-acquire the cleaned signatures.

Do you want to leave the import-clean setting out entirely, or take the
opportunity to start having the keyring be guaranteed to be cleaned?

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20191006/0bf0be70/attachment.sig>


More information about the pacman-dev mailing list