On Thu, Jun 19, 2008 at 3:28 PM, Dan McGee <[EMAIL PROTECTED]> wrote: > I'll try to summarize the points a bit; this must have come up in > private discussion but never a public forum. > 1. Signing databases with one sig gives no way for users to distribute > signed individual packages and have them verified by pacman. > 2. Signing a database is a rather big deal. Do I feel comfortable > signing off on all 2150 packages in extra every single time I sign the > database? Not at all. What happens if we later find out one package > was compromised? The whole chain of trust has now been broken, and > people can't mark a particular signature as untrustworthy to prevent > installation of a given package. > 3. Signing what you are in control of just seems like the more correct > solution. > 4. We've found a way to do signoffs on individual packages without > bloating the database or number of files. PGP signatures can be put in > the database itself, so it is just another verification like md5sum. > The biggest reason I had against signing individual packages was the > fact that .sig files would introduce a hell of a lot of clutter. >
Ok, that makes sense. _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
