Esteban Carnevale <[email protected]> writes: > * GPG keys for pacman > > Upgrades of parabola-keyring are too verbose now. Do we avoid using > any kind of master keys? To do this, we would remove > parabola-keyring. To install a package by a packager which is not on > the keyring, the user would download the key from a public key server > (pacman can do this), verify the key and sign it (using pacman-key).
we've been discussing this in the channel for quite some time now. i've made a graph of the pacman-signatures[0] using sig2dot[1] so we can see why it's failing. the original is 11M so i resized it a bit. there're two webs of trust. the big one is archlinux-keyring, the small one is parabola-keyring. thing to notice: * there're two wots because there're no shared sigs between arch devs and parabola hackers :c * the master keys approach of arch produces a highly centralized wot * every arch-dev key has at least three signatures from the master keys * most parabola hackers only have a signature (from jorginho) in conclusion, to start fixing things up we need to start signing each others keys. any parabola hacker must have at least three sigs from other hackers. new keys (meaning new hackers) should start releasing packages after being signed off by other three hackers. sign three other hackers! i've made some tests and the keys that `pacman-key --populate parabola` asks me to sign locally every time are: Esteban Carnevale <[email protected]> Jorge Araya Navarro (mi llave PGP :D) <[email protected]> Daniel Martí <[email protected]> Nicolás Reynolds <[email protected]> Charles Roth (hacking email) <[email protected]> Brendan Scot Tildesley <[email protected]> Márcio Silva <[email protected]> André Silva <[email protected]> Jorge López <[email protected]> Joseph Alexander Yaworski Jr. <[email protected]> (there's something else here, because alfplayer has sigs that don't appear on the keyring!)[2] [0]: http://ompldr.org/vaHU5cQ/haiti.png and zoom: http://ompldr.org/vaHVhdA/parabola-keyring.png [1]: http://www.chaosreigns.com/code/sig2dot/ command is `sudo pacman-key --list-sigs | perl sig2dot.pl | neato -Tpng -o haiti.png` [2]: http://pastie.org/private/lro7ybenor8xmhy9luu8yq
pgpDnarPBVnJy.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
