Hi,

I maintain a handfull of packages in AUR -- most of which I'm also the upstream
author of -- and with all the recent hubub have been thinking about improving
the trustability of those packages. I hadn't before really looked into signing
since that seems mostly the domain of the core repositories and specifically
signed _built_ packages (ignoring `-bin` packages in AUR for the moment).

It occurs to me that my signature is going to have the most value to diligent
checkers if it's signed by one of the trusted keys in `archlinux-keyring`, which
of course leads me to wonder: is there a documented process for non-core
contributors to get their keys signed? Arch Linux key signing parties, or
something?

There's a lot of discussion going on about a longer-term response to the supply
chain attacks, and I'm sure a lot more less-visible discussion among the core
team. In the meantime, I'd like to improve the trustability of the packages I
maintain. I don't want to lose the enormous value AUR provides small (less
popular) software developers and, ultimately, Arch users.

--- SER   
Sean E. Russell (https://ser1.net)   
OpMsg: https://ser1.net/.well-known/opmsg.txt    
GPG key: https://ser1.net/.well-known/pgp.asc    
Minisign: https://ser1.net/.well-known/minisign.pub   
Age: age195vpft7nzsy83medxagqqsge0lrcuf9txe3z2znlu2wsk69cdu4sx8nfvp

Reply via email to