FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 01-07-2012, 07:01 AM
Allan McRae
 
Default Enforcing trusted signatures on all package uploads

Hi,

I think it is about time that we started enforcing that all package
uploads are signed by a trusted signature. With the way our
web-of-trust works, that means anybody without their keys signed by at
least three of the Arch Linux Master Keys will no longer be able to
upload packages.

All master keys holders have been available for key signing for over a
month (some nearer to two months...) so there has been plenty of
opportunity to have this done. Enforcing all signatures are trusted
means anyone using signature checking in pacman only needs to import and
trust the master keys.

I see Pierre has already committed the needed change to dbscripts, they
just need enabled. Is there anything stopping this happening?


FYI, the following people have packages in the repos and do not have the
required number of master key signatures to be trusted:

[allan@gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig; do
pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from | sort
| uniq
gpg: Good signature from "Jaroslav Lichtblau (trusted user)
<dragonlord@aur.archlinux.org>"
gpg: Good signature from "Kevin Piche <kevin@archlinux.org>"
gpg: Good signature from "Ronald van Haren <ronald@archlinux.org>"
gpg: Good signature from "Vesa Kaihlavirta <vegai@iki.fi>"

Allan
 
Old 01-07-2012, 02:54 PM
Dan McGee
 
Default Enforcing trusted signatures on all package uploads

On Sat, Jan 7, 2012 at 2:01 AM, Allan McRae <allan@archlinux.org> wrote:
> Hi,
>
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature. *With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
>
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done. *Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import and
> trust the master keys.

I realize I'm the pain in the ass requiring a bit more before I sign
your keys, but given we have 5 master keys, and we're only enforcing 3
signatures (at least at this point in the game), I am on board with
requiring this. I do plan to get back to my backlog of requests soon
enough.

-Dan
 

Thread Tools




All times are GMT. The time now is 03:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org