Re: Package signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Thomas Bächler wrote:
> We must have a system that allows pacman to automatically verify new
> developer keys and revoke old ones ... even more important, revoke them
> in a way that signatures made before a certain date are still accepted,
> but newer ones aren't.
> I don't see this easily being implemented with PGP-Keys, but maybe
> someone else knows more.
>   

You can't trust a package made with a compromised key just because it
looks old. That can be falsified.
Packages not affected should be resigned by another developer / the new
developers key.
I would still recompile them, though (withouth necessarily increasing
the pkgrel).

You might trust the date it if it was already in your local drive before
the
compromise date, but in such case you probably have it already installed,
so you don't need to trust check it.

Under which circunstances would you envision the need to trust an old,
compromised signature?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux