Responding to Christian's email, but I'll collate messages so as to not pollute
the list too much.

TLDR, it's clear that I'm trying to use `PKGBUILD` source signing in a way that
it was not intended for.

On Mon Jun 29, 2026 at 11:10 AM PDT, Leonidas Spyropoulos wrote:
> The archlinux-keyring is only for Package Maintainers. It's a 

and

On Mon Jun 29, 2026 at 11:03 AM PDT, Christian Heusel wrote:
> the sole purpose of a signature by one the master key holders (and
> following that the inclusion of a key in `archlinux-keyring`) is to
> enable someone to package for the _official_ Arch Linux repositories

This stands out to me: while AUR helpers (yay, pakku) do end up using a user's
keyring in conjunction with `validpgpkeys`, it sounds as if that's either
unexpected or some unintentional side-effect.

While I disagree about the the assertion that it does not increast
trustworthiness to sign an upstream source with a key which is signed by a key
already in the users' webs of trust (namely, `archlinux-keyring`), it's obvious
that not only is this a sort of hacky solution, but that it's being generally
frowned upon -- seeing as there's not been a single encouraging response from
anyone in the core team. Yeah, it's only been a day, but still... it was a long
shot anyway idea, and I'm not really energized to pursue it.

It's a challenging situation for FOSS software developers: we already invest
time and money to develop software to give away gratis; the Bazaar is being
poisoned by these supply-chain attacks, in AUR but also Go and npm. I still hope
to find a reputation-based solution; right now, Arch's implicit trust model is
locked to core Arch maintainers and it doesn't scale to (e.g.) AUR contributors.
I'm not implying that it _should_, just that I don't see a way to offer more
trust to users. I also don't want AUR to get harder to contribute to; I also
manage packages in Alpine, and it's significantly slower and harder to release
versions, and with more burden on Alpine maintainers.

Anyway, thanks to everyone who responded.

--- SER   
Sean E. Russell (https://ser1.net)    
OpMsg: https://ser1.net/.well-known/opmsg.txt    
GPG key: https://ser1.net/.well-known/pgp.asc    
Minisign: https://ser1.net/.well-known/minisign.pub    
Age: age195vpft7nzsy83medxagqqsge0lrcuf9txe3z2znlu2wsk69cdu4sx8nfvp    

Reply via email to