Allan McRae wrote: >> 3. Package signing by developers >> >> When a developer builds a new package, makepkg will have the options >> to sign the package too, with the developer's own key (not the KSK, if >> the developer owns one). At this point, there are three options (that >> we should choose now) for the format of the signed/signature pair: >> >> - detached signature external to the package: the package will stay >> unchanged and there'll be a new file for the signature. >> - detached signature internal to the package: makepkg would generate >> a detached signature, but would tar the package and the signature into >> a new file, so that both are always toghether (Debian and RPM based >> distros do that way). This would have a bigger impact on all developer >> tools and pacman itself. >> - attached signature: the signature would contain the signed file, >> and pgp would be used to extract the signed file. Just like the one >> above, this would require lots of changes on the tools. >> >> The cheaper approach is obviously the first option. It will not >> require lots of changes, but there'll be some. Maybe the convenience >> of the latter two would compensaate for the trouble of changing the >> tools? Comments very much appreciated. > > The first method is what is currently used on the gpg patches that are > available. The signature is made in a separate file and then is > inserted in the repo db when the package is added.
I would prefer having the signature along the package. Maybe as a tar extended header. This way you can't lose the detached signature (it also means that you need to download twice as much files). >> 6. Final comments >> >> I believe that this suggestions are feasible and will bring a new >> level of quality to Arch Linux. The gpg branch of pacman git >> repository of Allan is in a good position in relation of what I >> suggested above. One possible problem is that gpgme is not able to >> update a trusdb (or at least i couldn't fine how). Maybe we'll have to >> use some script for that. > > Could the trust database be updated via pacman using post_install on > some pacman-keychain package? > > Allan I don't see how is the pacman-keychain database going to be updated, since we should also allow the user to make manual changes so simply replacing the file wouldn't work. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
