On Fri, 14 Feb 2014 03:43:38 -0800 Don deJuan <donjuansjiz@xxxxxxxxx> wrote: > On 02/14/2014 03:00 AM, Plonky Duby wrote: > > I do agree with that, i switched on a laptop which was off since september > > 2013 and i had some issue with some key. > > > > I had to update key, before having a sucessfull update. > > > > > > > > > > 2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev@xxxxxxxxxxxx>: > > > >> Hi, > >> > >> Recently I had to fix a corrupted pacman db from a 3 month old > >> livecd > >> and realized that this process is not so innocent. Specifically, there is > >> a chance to get a trojaned package on the system simply because the > >> archlinux-keyring package on the iso is outdated. Of course, other similar > >> scenarios are possible, e.g. a fresh install is made from an old livecd, > >> or a > >> server is updated after several months of uptime: new packages are pulled > >> in > >> but signature checks are made using the old keyring currently on the host. > >> So, instead of relying on the discrete updates of > >> archlinux-keyring, > >> wouldn't is make more sense to have a systemd timer/cron job to frequently > >> refresh pacman keyring? > >> > >> Thanks, > >> -- > >> Leonid Isaev > >> GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D > >> > > pacman-key --refresh-keys ?? Well, I run this on the home server via a systemd timer, so that I don't forget to do it before an update. It is certainly not necessary on a frequently updated machine, but might be a good idea for a livecd before an installation. Cheers, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
signature.asc
Description: PGP signature
