[Assist] [Dev] Wiki page of Pacman Troubleshooting (because of the recent problems with devs keys)

Marcel Röthke marcel at roethke.info
Fri Apr 28 18:46:46 BST 2017 

On 28.04.2017 14:41, Megver83 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi everyone, I just wrote
> https://wiki.parabola.nu/Pacman_troubleshooting so for the ones who
> have problems with keys see
> https://wiki.parabola.nu/Pacman_troubleshooting#Errors_about_Keys
> 
> This should also appear in Parabola news, since the commands given
> there are incorrect. It's better to give the link to this wiki page.
> 
> - -- 
> SIP: megver83 at sip.linphone.org
> XMPP: megver83 at diasp.org
> Tox: megver83 at toxme.io
> GPG: 0x227CA7C556B2BA78
> GNUSocial: @megver83 at quitter.cl
> Diaspora*: David P. (same XMPP ID)
> -----BEGIN PGP SIGNATURE-----
> 
> iQEzBAEBCgAdFiEEbbnEtPDYwNxDLPbkInynxVayungFAlkDOGQACgkQInynxVay
> ungxKgf/XXo/s63/3eFWG2vGzoyMylvagq2MVEL9Hxah4MO1kGHTXq6A+gE1WnzK
> 5jutA15L0FkgJeAfBhVwDBfMs0Y9e2ozWHy2x0lKt4HsnmpkJy16qmOW8xE26Eza
> YBodb6f3t2M2mJ7eAgNIs0u4rsYziQiJn+VLnCRkIxMsKUT8DkrTREW1rIx3q2ZE
> FwT64UHAcYgoXSRbxnGUhJHEH3u+b0Bys9yIxIndDes0F5RY6egL7PIS0POPUYbp
> 6HHBsPoBfwPcfp4wXBaah5m5IzgaaGW7I5R7pYk3FBhctfM5a6648Zqk1sTwfqYO
> JTufCYt0E+QZZdos2kcM5qgWmSS8qw==
> =eQgv
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev
> 

Sorry, but what you are suggesting in the wiki can not be called a
solution in my honest opinion.
Packages are signed to ensure that they are coming from a trusted
source. Which in turn allows me to trust my system. Allowing distrusted
packages to install breaks that trust, requiring a reinstall to rebuild
it. Because there is no straightforward way to be certain that nothing
malicious found it's way onto the system.

I furthermore think that it is quite concerning to provide that as a
solution. Especially considering parabolas context as a distribution
that only provides free software. Which among other things is about trust.

In my opinion the only viable solution to this problem is providing a
fixed parabola-keyring package that is signed by an already trusted key.
And maybe even to stop doing automatic builds for the package that
basically is the foundation of trust for parabola

More information about the Assist mailing list