On 30/04/10 01:29, Thomas Bächler wrote:
Am 29.04.2010 00:36, schrieb Linas:
Thomas Bächler wrote:
We must have a system that allows pacman to automatically verify new
developer keys and revoke old ones ... even more important, revoke them
in a way that signatures made before a certain date are still accepted,
but newer ones aren't.
I don't see this easily being implemented with PGP-Keys, but maybe
someone else knows more.
You can't trust a package made with a compromised key just because it
looks old. That can be falsified.
Packages not affected should be resigned by another developer / the new
developers key.
I would still recompile them, though (withouth necessarily increasing
the pkgrel).
You are right, if the key has been compromised, you can easily include a
fake date. So upon revoking a key, all packages have to be re-signed.
This shows again that this is not a topic you can just solve by throwing
some code at people. It needs a proper chain of trust and concepts to
cover all cases - otherwise, it might be possible to compromise the
system, giving users a false sense of security.
Has anyone had a good look at the other implementations of package
signing (Debian, Fedora, ...) and made a summary of how they handle it?