On 26/06/29 08:25AM, Sean E. Russell wrote: > Hi, Hey Sean,
> I maintain a handfull of packages in AUR -- most of which I'm also the > upstream > author of -- and with all the recent hubub have been thinking about improving > the trustability of those packages. I hadn't before really looked into signing > since that seems mostly the domain of the core repositories and specifically > signed _built_ packages (ignoring `-bin` packages in AUR for the moment). > > It occurs to me that my signature is going to have the most value to diligent > checkers if it's signed by one of the trusted keys in `archlinux-keyring`, > which > of course leads me to wonder: is there a documented process for non-core > contributors to get their keys signed? Arch Linux key signing parties, or > something? the sole purpose of a signature by one the master key holders (and following that the inclusion of a key in `archlinux-keyring`) is to enable someone to package for the _official_ Arch Linux repositories (see https://wiki.archlinux.org/title/Official_repositories for a list). There is a possiblity to get your key signed by one of the Arch Linux Packagers, however this is more something that people would do in the context of a key signing party (and I'm not sure if those are still a thing nowadays) and IMO nothing that we should strive for as an overall ecosystem to improve the situation. Cheers, Chris
signature.asc
Description: PGP signature
