Hi all, with pacman 4.0.3 in [testing] and as all repos are now completely signed we should have everything we need to finalize the keyring package. The archlinux-keyring package in [testing] should update your pacman keyring or ask you to initialize it first. It will then ask you for each master key to confirm it's trust. What is left to do? * Maybe have pacman depend on archlinux.keyring * Set "SigLevel = Required" for all our repos in our default pacman.conf * Write a news item which describes the steps how to setup your pacman keyring (entropy problem should be covered) and how to install our keyring package * Think about if we should advice to start with a new keyring for those who already had used "SigLevel = TrustedOnly" and therefor imported and trusted individual keys. E.g. what happens if we revoke just a key etc.. PS: If you like to test several scenarios you can simply move /etc/pacman.d/gnupg. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com