You are not logged in.

#1 2011-10-19 06:22:11

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,837

pacman4 and unsigned packages

Yes, I know we can use SigLevel = Optional, but I've been using Required, and I'm just wondering if unsigned packages should be reported as bugs, or in some other way, or not at all.

Offline

#2 2011-10-19 06:28:20

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: pacman4 and unsigned packages

No need to report them. The transition will take time. ATM just a bit more than 30% of our packages are signed.

Offline

#3 2011-10-19 07:11:32

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,837

Re: pacman4 and unsigned packages

OK thanks.

When pacman4 hits core, should we then expect all packages to be signed?

Last edited by tomk (2011-10-19 07:15:17)

Offline

#4 2011-10-19 07:14:02

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: pacman4 and unsigned packages

No, quite unlikely.

Offline

#5 2011-10-19 08:49:32

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,379
Website

Re: pacman4 and unsigned packages

Just signing old packages is not really a great idea unless the relevant developer has the original package still on their system and can verify its integrity.  So any package without a signature will need rebuilt, which will take a while...

Offline

#6 2011-10-19 10:09:43

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 6,796

Re: pacman4 and unsigned packages

Allan wrote:

Just signing old packages is not really a great idea unless the relevant developer has the original package still on their system and can verify its integrity.  So any package without a signature will need rebuilt, which will take a while...

Would everyone then simply run with 'SigLevel = Optional *' for the near (and medium-term) future? Actually 'Optional TrustAll' for most of us.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#7 2011-10-19 13:33:59

Allan
Developer
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,379
Website

Re: pacman4 and unsigned packages

Well, currently it is "Optional TrustAll".  Hopefully soon we get a keyring sorted and it can be "Optional TrustedOnly" and then eventually "Required TrustedOnly" on a repo-by-repo basis once all packages in a repo are signed.

Offline

Board footer

Powered by FluxBB