I do agree with that, i switched on a laptop which was off since september 2013 and i had some issue with some key. I had to update key, before having a sucessfull update. 2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev@xxxxxxxxxxxx>: > Hi, > > Recently I had to fix a corrupted pacman db from a 3 month old > livecd > and realized that this process is not so innocent. Specifically, there is a > chance to get a trojaned package on the system simply because the > archlinux-keyring package on the iso is outdated. Of course, other similar > scenarios are possible, e.g. a fresh install is made from an old livecd, > or a > server is updated after several months of uptime: new packages are pulled > in > but signature checks are made using the old keyring currently on the host. > So, instead of relying on the discrete updates of > archlinux-keyring, > wouldn't is make more sense to have a systemd timer/cron job to frequently > refresh pacman keyring? > > Thanks, > -- > Leonid Isaev > GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D >
