On 26/06/29 08:25AM, Sean E. Russell wrote:
> Hi,

Hey Sean,

> I maintain a handfull of packages in AUR -- most of which I'm also the 
> upstream
> author of -- and with all the recent hubub have been thinking about improving
> the trustability of those packages. I hadn't before really looked into signing
> since that seems mostly the domain of the core repositories and specifically
> signed _built_ packages (ignoring `-bin` packages in AUR for the moment).
> 
> It occurs to me that my signature is going to have the most value to diligent
> checkers if it's signed by one of the trusted keys in `archlinux-keyring`, 
> which
> of course leads me to wonder: is there a documented process for non-core
> contributors to get their keys signed? Arch Linux key signing parties, or
> something?

the sole purpose of a signature by one the master key holders (and
following that the inclusion of a key in `archlinux-keyring`) is to
enable someone to package for the _official_ Arch Linux repositories
(see https://wiki.archlinux.org/title/Official_repositories for a list).

There is a possiblity to get your key signed by one of the Arch Linux
Packagers, however this is more something that people would do in the
context of a key signing party (and I'm not sure if those are still a
thing nowadays) and IMO nothing that we should strive for as an overall
ecosystem to improve the situation.

Cheers,
Chris

Attachment: signature.asc
Description: PGP signature

Reply via email to