On Wed, May 5, 2010 at 2:38 PM, Linas <[email protected]> wrote: > Allan McRae wrote: >> The first method is what is currently used on the gpg patches that are >> available. The signature is made in a separate file and then is >> inserted in the repo db when the package is added. > > I would prefer having the signature along the package. Maybe as a tar > extended header. > This way you can't lose the detached signature (it also means that you > need to download twice as much files).
Hey, that would be cool! We wouldn't need to change the name structure of the package and would not lose the signature. >> Could the trust database be updated via pacman using post_install on >> some pacman-keychain package? >> >> Allan > I don't see how is the pacman-keychain database going to be updated, > since we should also allow the user to make manual changes so simply > replacing the file wouldn't work. There'll be a script for that, so users and the post-install script will be able to handle it without getting into the details of keyring manipulation. It will be something like: # pacman-key --import <keyfile> # pacman-key --trust <keyid> post-install would call pacman-key --updatedb and the script would delete the old keys and append the new ones, as I wrote in the reply to Allan. This must be called as root, but pacman is always called as root also, so it is not a problem. In the last case, the user will have to explicitly inform the trust level of the key. We even could automate this, but I don't think is a good idea. The user must have responsibility for his system (Arch Way rules). I'll try to commit it to gitorious as soon as I get home, so you can have a look and the discussion is brought to a more practical level too. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------
