FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 03-01-2011, 02:10 PM
Denis A. Altoé Falqueto
 
Default repo-add and access to pacman keyring

On Tue, Mar 1, 2011 at 1:25 AM, Allan McRae <allan@archlinux.org> wrote:
> On 19/02/11 12:02, Denis A. Altoé Falqueto wrote:
>>
>> Hi,
>>
>> Well, it seems I'm busy lately, doesn't it?
>>
>> I was implementing the first TODO list for repo-add in (see
>> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing) and
>> stuck in a point where I need some opinions on what to do.
>>
>> repo-add should verify if the signature is valid and if it is from
>> someone from a list of valid keys. I think that list should be
>> pacman's keyring, because it is the keyring the final user will use to
>> verify the signatures, right?
>>
>> So, repo-add needs read access to pacman's keyring, so the keyring
>> would need to be readable for anyone. gpg emits a warning when the
>> keyring dir and files have insecure permissions (any permissions for
>> group owner and other users). In my opinion, this could be ignored,
>> because pacman's keyring doesn't have any private information. Of
>> course, writing permissions should be granted only to root, the owner
>> of the keyring.
>>
>> After all, do you agree with my reasoning? Can we make pacman's
>> keyring readable for anyone?
>>
>
> The more I think about this, I am beginning to lean towards just leaving
> this at the moment. *I think we should wait for some actual usage of the
> signing system before we can decide exactly what to do here. * Once a
> workflow is figured out for when a distribution starts using this signing
> system, we will know when the repo db is being signed (in a central
> location, on the developers computer and then uploaded, etc) and by what key
> (repo master key, developers key) and then we can see where improvements can
> be made.
>
> So lets just skip that TODO item for now.
>
> Allan
>
>

I came to the same conclusion yesterday. Thanks for the reply

--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------
 

Thread Tools




All times are GMT. The time now is 05:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org