On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote: > Hi, > > I want to start a discussion about AUR packages signing. If this debate > already happened, it means that I'm not really good with Google or > unfortunate in the keywords I used in my searches: in these cases > forgive me and just give me some pointers. > > TL;DR I personally "trust" some AUR users who have several good-quality > packages, and an optional way to sign AUR packages would permit me > to know that I can build and update their packages without > worrying too much.
I did read your proposal, but my comment can be framed in the context of your tl;dr: You don't really seem to want GPG signatures, just a whitelist of package maintainers by name. Any AUR helper could implement support for this today, with no changes to the AUR. d
