On Thu, Mar 24, 2011 at 9:49 PM, Allan McRae <al...@archlinux.org> wrote:
> On 25/03/11 11:32, Dan McGee wrote:
>>
>> On Thu, Mar 24, 2011 at 8:00 PM, Denis A. Altoé Falqueto
>> <denisfalqu...@gmail.com> wrote:
>>>
>>> On Thu, Mar 24, 2011 at 8:05 PM, Ray Kohler<ataraxia...@gmail.com>
>>> wrote:
>>>>
>>>> Signed-off-by: Ray Kohler<ataraxia...@gmail.com>
>>>> ---
>>>> scripts/pacman-key.sh.in | 6 ++++++
>>>> 1 files changed, 6 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
>>>> index 5746e64..ccc7f92 100644
>>>> --- a/scripts/pacman-key.sh.in
>>>> +++ b/scripts/pacman-key.sh.in
>>>> @@ -246,6 +246,12 @@ if [[ GPGDIR=$(find_config "GPGDir") == 0 ]]; then
>>>> fi
>>>> GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR}"
>>>>
>>>> +# Try to create $PACMAN_KEYRING_DIR if non-existent
>>>> +# Check for simple existence rather than for a directory as someone may
>>>> want
>>>> +# to use a symlink here
>>>> +# Force mode 700 as gpg complains if any group or other access is
>>>> present
>>>> +[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 700
>>>> "${PACMAN_KEYRING_DIR}"
>>
>> Why 700? Any reason a normal user should not be able to read this and
>> validate a package on a non-root operation? e.g. pacman -Qlp<package>
>> should run our GPG machinery eventually if a .sig is sitting
>> alongside.
>
> gpg makes warnings about anything else. These warnings can be suppressed
> with command-line gpg usage, so I guess they can be suppressed in gpgme.
I agree, that would be nicer than locking non-root users out - but I
don't know how it's done.
