On Wed, Apr 28, 2010 at 6:37 PM, Linas <linas_fi@xxxxxxxxx> wrote: > I wrote about this topic ~1 month ago. > You don't need PKCis or distribute the keyrings themselves. GPG supports > transitive trust. > The pacman keyring would be installed by default trusting on whatever keys > a pacman root signature has signed (there could also be a different master > key for community developers). > The basic idea here is that you are not trusting the repository, but the > individuals themselves. > The master key -which can be kept offline and is only used when a > developer joins/part- provides a basic default (people we generally trust) > but a power user could reconfigure it to not accept packages signed by > Pierre, because he distrusts him :), or he can add additional trusted > people (a much more likely scenario) by just adding that person key to its > keyring. Hi, Linas. Yes, you are right. I'm reading about the transitive trust scheme and it really solves the most of our problems. For the interested, here comes an interesting explanation: http://www.apache.org/dev/openpgp.html#wot-verifying-links About the other comments, in fact, the web of trust explained in the link is the correct implementation of what I've thought. I'll drat a workflow and return in a while. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------
