pacman4 and unsigned packages

tomk · 2011-10-19 06:22:11

Yes, I know we can use SigLevel = Optional, but I've been using Required, and I'm just wondering if unsigned packages should be reported as bugs, or in some other way, or not at all.

Pierre · 2011-10-19 06:28:20

No need to report them. The transition will take time. ATM just a bit more than 30% of our packages are signed.

tomk · 2011-10-19 07:11:32

OK thanks.

When pacman4 hits core, should we then expect all packages to be signed?

Last edited by tomk (2011-10-19 07:15:17)

Pierre · 2011-10-19 07:14:02

No, quite unlikely.

Allan · 2011-10-19 08:49:32

Just signing old packages is not really a great idea unless the relevant developer has the original package still on their system and can verify its integrity. So any package without a signature will need rebuilt, which will take a while...

ngoonee · 2011-10-19 10:09:43

Allan wrote:

Just signing old packages is not really a great idea unless the relevant developer has the original package still on their system and can verify its integrity. So any package without a signature will need rebuilt, which will take a while...

Would everyone then simply run with 'SigLevel = Optional *' for the near (and medium-term) future? Actually 'Optional TrustAll' for most of us.

Allan · 2011-10-19 13:33:59

Well, currently it is "Optional TrustAll". Hopefully soon we get a keyring sorted and it can be "Optional TrustedOnly" and then eventually "Required TrustedOnly" on a repo-by-repo basis once all packages in a repo are signed.

Arch Linux

#1 2011-10-19 06:22:11

pacman4 and unsigned packages

#2 2011-10-19 06:28:20

Re: pacman4 and unsigned packages

#3 2011-10-19 07:11:32

Re: pacman4 and unsigned packages

#4 2011-10-19 07:14:02

Re: pacman4 and unsigned packages

#5 2011-10-19 08:49:32

Re: pacman4 and unsigned packages

#6 2011-10-19 10:09:43

Re: pacman4 and unsigned packages

#7 2011-10-19 13:33:59

Re: pacman4 and unsigned packages

Board footer