[arch] GPG Signing Support in Pacman?
Joshua Rubin
joshua at cybertron.cc
Sun Nov 28 15:25:01 EST 2004
Hi,
I am a convert from slackware (get better soon pat!) and have strong bsd
roots, so I love arch. One thing that concerns me is that pacman does not
chech the validity of the packages. Slackware has been signing packages for
a long time. An easy thing to add would be a *.pkg.tar.gz.asc file, for
every package in the repo, that is a gpg ascii armored signature file.
Pacman could have an option in pacman.conf of the keys that are valid for
packages. Pacman would then just verify that the package key file matches
the package and one of the keys in the pacman.conf file. This would add a
lot of assurance to all users. I guess this is mostly directed at Judd since
pacman is his baby, but I was hoping to get some other comments. Sorry if
this has been discussed before. Arch has been great and I hope to help as
much as I can as we move towards 1.0!
Joshua
--
Joshua Rubin
Joshua.Rubin at Colorado.EDU
(303) 909-6199
http://www.cybertron.cc
Cassini Mission to Saturn
Ultraviolet Imaging Spectrograph (UVIS)
Assistant Team Lead
My PGP Public Key:
http://pgp.mit.edu:11371/pks/lookup?search=0xBECC02AE&op=index
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://archlinux.org/pipermail/arch/attachments/20041128/02a08656/attachment.bin
More information about the arch
mailing list