On 05.03.2012 10:39, Christian Hesse wrote:
> Hello everybody,
> 
> afaik, database files in official repositories are not signed yet. Are they?
> 
> This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if
> anybody wants to provide an infected package he/she only needs to provide no
> signature at all and the package is happily accepted, no?
> 
> So when will database files from official packages be signed?
> 
> And even more interesting: Does it make sense to add a new option
> 'PkgRequired'? This could force valid signatures for packages and make it
> optional for database files.

You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING"
and use "Optional PackageRequired"

-- 
Florian Pritz

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to