On Thu, 2010-04-29 at 00:36 +0200, Linas wrote: > Thomas Bächler wrote: > > We must have a system that allows pacman to automatically verify new > > developer keys and revoke old ones ... even more important, revoke them > > in a way that signatures made before a certain date are still accepted, > > but newer ones aren't. > > I don't see this easily being implemented with PGP-Keys, but maybe > > someone else knows more. > > > > You can't trust a package made with a compromised key just because it > looks old. That can be falsified. > Packages not affected should be resigned by another developer / the new > developers key. > I would still recompile them, though (withouth necessarily increasing > the pkgrel). > > You might trust the date it if it was already in your local drive before > the > compromise date, but in such case you probably have it already installed, > so you don't need to trust check it. > > Under which circunstances would you envision the need to trust an old, > compromised signature? New install, dev for a coupl of [extra] packages has already left the team. Having to recompile everytime a dev leaves the team is additional (unnecessary) hassle IMO, especially for bigger packages (openoffice and sons, I'm looking at you).
