Re: [arch-dev-public] Enforcing trusted signatures on all package uploads

On Sat, 07 Jan 2012 18:01:12 +1000 Allan McRae wrote:

Hi,

I think it is about time that we started enforcing that all package uploads are signed by a trusted signature. With the way our web-of-trust works, that means anybody without their keys signed by at least three of the Arch Linux Master Keys will no longer be able to upload packages.

All master keys holders have been available for key signing for over a month (some nearer to two months...) so there has been plenty of opportunity to have this done. Enforcing all signatures are trusted means anyone using signature checking in pacman only needs to import and trust the master keys.

I see Pierre has already committed the needed change to dbscripts, they just need enabled. Is there anything stopping this happening?

FYI, the following people have packages in the repos and do not have the required number of master key signatures to be trusted:

[allan@gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig; do pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from | sort | uniq gpg: Good signature from "Jaroslav Lichtblau (trusted user) " gpg: Good signature from "Kevin Piche " gpg: Good signature from "Ronald van Haren " gpg: Good signature from "Vesa Kaihlavirta "

Allan

if they are inactive, they can fix their signatures at the time they want to be active again. I wouldn't wait for them. Dieter