On Sun, Jun 17, 2012 at 09:25:25PM +0200, Geoffroy PLANQUART wrote: > I noticed that every time I set up a new VM, I have to manually run the > `pacman-key --init' and `pacman-key --populate archlinux'. > > Wouldn't it be time to set up a new installation release? Thus new users > wouldn't have to bother about pacman recent changes, and moreover the basic > install would be kept simple, ready to use. I'm maintaining a development VM at work based on Arch, and encountered the same issue; Everyone installing one of these VMs for the first time has to do the key generation dance, which is made worse by the fact that a VM doesn't tend to generate lots of entropy in the first place. However: Distributing a pacman keychain master key to more than one machine is rarely a sensible solution. If you actually want the very specific additional security checks offered by only allowing signed packages, you must ensure a properly secured master key with a diligently confirmed web of trust. If the private master key, which is being generated with --init, leaks, it is trivial for a hypothetical attacker to directly sign manipulated packages with this key, which basically invalidates the security benefit signed packages are supposed to offer. If you do not need signed packages, anyway, just switch off the signature logic in your pacman.conf with SigLevel = Never and don't bother with key management at all. It all depends on your setup and requirements. Of course a fresher installation medium surely would be nice to have, especially for VM setup, although there are quicker ways than a bootable CD to get an up to date VM running with Arch, do not expect key management to ever run out of the box. It's not supposed to, as it's highly individual. Best regards, Dennis
