Arch Linux impacted by new defaults in 2.2.17
Wiktor Kwapisiewicz
wiktor at metacode.biz
Fri Jul 12 15:10:43 CEST 2019
Hello,
I just saw the following bug reported in Arch Linux repos:
https://bugs.archlinux.org/task/63147
with the title "[gnupg] 2.2.17 release is broken by design and breaks
pacman".
It appears Arch's packages use Web of Trust for introducing new
developers by adding 3 signatures out of 5 (or 6) marginally trusted
Master Signing Keys: https://www.archlinux.org/master-keys/ and thus
they depend on these signatures to be there.
Quoting the bug report:
> By default, pacman itself will try to look up keys which it does not know about yet, and download them with the master key signatures in order to validate signed packages/repositories.
Would deploying WKD on archlinux.org and making signatures with --sender
preserve third-party-signatures that they depend on?
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 919 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190712/ca80f60b/attachment-0001.sig>
More information about the Gnupg-users
mailing list