On 10/25/11, Denis A. Altoé Falqueto <denisfalqueto@xxxxxxxxx> wrote: > The trust problem is complex, indeed, but we can at least mitigate it > doing the following (it's what I do): > > 1. set TrustedOnly, instead of TrustAll > 2. import the keys when pacman asks > 3. # pacman-key --edit-key <email or id for key>. That will open a gpg > session. > 4. go to http://www.archlinux.org/developers/ and/or > http://www.archlinux.org/trustedusers/ to check the new signatures > 5. sign the key, checking if the fingerprint is correct, according to > the websites from step 4 > 5. perform save to apply the changes > > That way, one can be a little more secure when trusting the keys. The > point is always checking with different places. Today, there are the > keyservers and the Arch developer info pages. Some day, there could be > more options (read-only wiki page, fixed BBS posts), so if one is > compromised, the others can serve as checkpoints for integrity. > > IMHO, I don't like TrustAll very much (and the equivalents concepts in > other distributions). It takes the responsibility from the users, who > are the ultimate decision makers of their systems. But that is just my > opinion (not an invitation to a long pointless discussion). We have > options enough to satisfy everyone. Thanks for the suggested steps. That tells me a bit more about the process. I may give that a try fairly soon.I've done very little with pgp; just setup a personal pgp key pair several years ago and use it with some of my e-mail but other than that, just pretty much left it alone. It seemed like any time I read much about this encryption stuff, it seemed to rise right up way over my head. I suppose I should try and get my head more around this encryption stuff sooner than later.
