Hi, Recently I had to fix a corrupted pacman db from a 3 month old livecd and realized that this process is not so innocent. Specifically, there is a chance to get a trojaned package on the system simply because the archlinux-keyring package on the iso is outdated. Of course, other similar scenarios are possible, e.g. a fresh install is made from an old livecd, or a server is updated after several months of uptime: new packages are pulled in but signature checks are made using the old keyring currently on the host. So, instead of relying on the discrete updates of archlinux-keyring, wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring? Thanks, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
signature.asc
Description: PGP signature
