Am 29.04.2010 00:36, schrieb Linas: > Thomas Bächler wrote: >> We must have a system that allows pacman to automatically verify new >> developer keys and revoke old ones ... even more important, revoke them >> in a way that signatures made before a certain date are still accepted, >> but newer ones aren't. >> I don't see this easily being implemented with PGP-Keys, but maybe >> someone else knows more. >> > > You can't trust a package made with a compromised key just because it > looks old. That can be falsified. > Packages not affected should be resigned by another developer / the new > developers key. > I would still recompile them, though (withouth necessarily increasing > the pkgrel). You are right, if the key has been compromised, you can easily include a fake date. So upon revoking a key, all packages have to be re-signed. This shows again that this is not a topic you can just solve by throwing some code at people. It needs a proper chain of trust and concepts to cover all cases - otherwise, it might be possible to compromise the system, giving users a false sense of security.
Attachment:
signature.asc
Description: OpenPGP digital signature
