FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 01-07-2012, 07:45 AM
Dieter Plaetinck
 
Default Enforcing trusted signatures on all package uploads

On Sat, 07 Jan 2012 18:01:12 +1000
Allan McRae <allan@archlinux.org> wrote:

> Hi,
>
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature. With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
>
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done. Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import
> and trust the master keys.
>
> I see Pierre has already committed the needed change to dbscripts,
> they just need enabled. Is there anything stopping this happening?
>
>
> FYI, the following people have packages in the repos and do not have
> the required number of master key signatures to be trusted:
>
> [allan@gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig;
> do pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from |
> sort | uniq
> gpg: Good signature from "Jaroslav Lichtblau (trusted user)
> <dragonlord@aur.archlinux.org>"
> gpg: Good signature from "Kevin Piche <kevin@archlinux.org>"
> gpg: Good signature from "Ronald van Haren <ronald@archlinux.org>"
> gpg: Good signature from "Vesa Kaihlavirta <vegai@iki.fi>"
>
> Allan

if they are inactive, they can fix their signatures at the time they want to be active again.
I wouldn't wait for them.

Dieter
 
Old 01-11-2012, 09:15 AM
Thomas Bächler
 
Default Enforcing trusted signatures on all package uploads

Am 07.01.2012 09:01, schrieb Allan McRae:
> I see Pierre has already committed the needed change to dbscripts, they
> just need enabled. Is there anything stopping this happening?

Good question. I installed pacman 4 on both gerolde and sigurd and set
up a keyring. I set up the trusted master keys. All we need is for
Pierre to give us the green light on his repo and pull it on both
servers. I've been in Pierre's ears about this for two weeks - I have no
idea what's holding this back.
 

Thread Tools




All times are GMT. The time now is 05:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org