Excerpts from Geoffroy Carrier's message of Mon Jun 02 03:04:40 +0200 2008: > From: Geoffroy Carrier <[EMAIL PROTECTED]>
And this guy could explain what he does... Sorry, I'm still learning git. Dozens of thanks to toofishes: without him, this patch might still be in my computer, or not, but never here. My idea is that devs could sign packages in the main repos. Those signatures would be embedded into the db file. [core] could include some 'archlinux-keyring', which would provide /etc/pacman.d/archlinux-keyring. Adapt this to any other distribution, BTW. For pacman's options, at least 3 choices are possible: - An option to disable signatures checks or specificy the keyring - The same thing, repository-based (you can use a different keyring for each repository) - An option to enable/disable signatures checks, and then pacman interactively prompts the user whether he trusts or not the packager. It could automatically get the key when it doesn't have it, and use gnupg's web of trust. Then archlinux-keyring would be useless. It's theorically the best solution, but I prefer the first two ones. -- Geoffroy Carrier http://gcarrier.koon.fr/ _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
