Mailing List Archive

Arch Linux impacted by new defaults in 2.2.17

I just saw the following bug reported in Arch Linux repos:

with the title "[gnupg] 2.2.17 release is broken by design and breaks

It appears Arch's packages use Web of Trust for introducing new
developers by adding 3 signatures out of 5 (or 6) marginally trusted
Master Signing Keys: and thus
they depend on these signatures to be there.

Quoting the bug report:

> By default, pacman itself will try to look up keys which it does not know about yet, and download them with the master key signatures in order to validate signed packages/repositories.

Would deploying WKD on and making signatures with --sender
preserve third-party-signatures that they depend on?

Kind regards,

Re: Arch Linux impacted by new defaults in 2.2.17 [ In reply to ]
It's all about where they look for new/updated keys. There's folks
out there who use a WKD setup, as you mentioned, then there's some
who use a standalone (isolated, non-peering) SKS keyserver, etc.

I do not think reverting the patch that causes issues for them is a
smart move in the long run. [...]

Welcome to the mess of PKI.

left blank, right bald

Gnupg-users mailing list