A new RFC (request for comment) has been opened here: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/59
Please visit the above link for discussion. Summary: Introduce a centralized, hardware backed solution for the digital signing of OS artifacts. Gradually replace the need for manual signing of artifacts throughout the distribution. The stepwise plan in this document will eventually lead to changes for the following existing roles within Arch Linux staff: - Package maintainers will no longer sign packages using their individual OpenPGP private key. - The amount of OpenPGP certificates for main signing key holders to care for will be drastically reduced. - The DevOps team will have to monitor and administrate additional physical machines in a colocation. New groups of people within Arch Linux staff will - collectively take care of the administrative credentials for the described system as holders of shares of a shared secret, - provide software upgrades for components of the system as developers of Signstar - and create releases for a central, image-based OS as developers of Signstar OS. For details refer to the section "changes for users and staff".
signature.asc
Description: PGP signature
