Thomas Bächler wrote: > We must have a system that allows pacman to automatically verify new > developer keys and revoke old ones ... even more important, revoke them > in a way that signatures made before a certain date are still accepted, > but newer ones aren't. > I don't see this easily being implemented with PGP-Keys, but maybe > someone else knows more. > You can't trust a package made with a compromised key just because it looks old. That can be falsified. Packages not affected should be resigned by another developer / the new developers key. I would still recompile them, though (withouth necessarily increasing the pkgrel). You might trust the date it if it was already in your local drive before the compromise date, but in such case you probably have it already installed, so you don't need to trust check it. Under which circunstances would you envision the need to trust an old, compromised signature? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com