On 04/03/12 01:25, Pierre Schmitz wrote: > Hi all, > > while working on our keyring package again I am still stuck at this > question. pacman-key --populate checks if the files to import are > signed. The man page tell us: > > This prevents a potentially malicious repository > adding keys to the pacman keyring without the users knowledge. > > But I don't get the reasoning here at all. If I install a malicious > package, it's install function is run as root and can do anything; > including bypassing the --populate function and call gpg directly. If I > miss anything here please let me know as I couldn't find out. > > Removing this check would safe me from reinventing the wheel and I > don't have to create a script which does exactly what --populate does > but without the check. This check prevents us from a simple bootstrap; > and we gain no improved security if we let the user do it manually. > (think about what a malicious package would do) > > In details this means removing the call to verify_keyring_input in > pacman-key and then remove the now unused functions verify_keyring_input > and validate_with_gpg.
I can not think of a situation where you could edit the keyring files but not access the pacman keyring directly... Unless someone else can think of a good reason to keep this, I would agree to removing that requirement. Allan
