On 05.03.2012 10:39, Christian Hesse wrote: > Hello everybody, > > afaik, database files in official repositories are not signed yet. Are they? > > This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if > anybody wants to provide an infected package he/she only needs to provide no > signature at all and the package is happily accepted, no? > > So when will database files from official packages be signed? > > And even more interesting: Does it make sense to add a new option > 'PkgRequired'? This could force valid signatures for packages and make it > optional for database files.
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired" -- Florian Pritz
signature.asc
Description: OpenPGP digital signature
