About the ability of Pamac to import keys for AUR building

pamac

#1

Hi! I’d like to congratulate Pamac’s dev, even though I don’t use it yet.

After reading this:

libpamac: add a dialog to import the required PGP keys when building a package from AUR

I wonder what happens to the imported keys when you remove the package from the system. It would be nice if Pamac checked if the key was needed for any other package, and then removed it if it didn’t. Obviously, this would apply to AUR packages only, so maybe Pamac would have to keep a list of downloaded keys/built-and-installed packages pairs to speed up the process?

Just an idea, sorry if it seems silly or unreasonable.


#2

I think it would be more appropriate to check whether the key is still valid.
If it’s still valid, it can just stay in the keyring IMHO.

If it’s invalid or expired, then yes something should be done.
Or present a a switch like e.g. --check-keys so users can decide.


#3

As far as I know, the reponsibility to manage your keyring is still on your side. It’s just that now, we can add required keys to our keyring within Pamac instead of being forced to open a terminal and use “gpg --recv-keys” (or any method) each time it’s needed.


#4

A combination of the last 2 (or arguably all 3) posters is where I sit …
It is and should be a manual operation. Prompting for it is nice and welcome.
A similar check or prompt on uninstall would similarly be welcome.


#5

If it offers to import the keys, why not offer to remove them also? I just thought it could be a good addition.

I don’t know if I agree with this. Not that it would harm the system, but for the sake of good management, only the official (arch+manjaro) keys should reside on the system unless needed for a specific external package.

Yes, I do agree with this.