On Sat, Jan 7, 2012 at 2:01 AM, Allan McRae <allan@archlinux.org> wrote:
Hi,
I think it is about time that we started enforcing that all package uploads are signed by a trusted signature. With the way our web-of-trust works, that means anybody without their keys signed by at least three of the Arch Linux Master Keys will no longer be able to upload packages.
All master keys holders have been available for key signing for over a month (some nearer to two months...) so there has been plenty of opportunity to have this done. Enforcing all signatures are trusted means anyone using signature checking in pacman only needs to import and trust the master keys.
I realize I'm the pain in the ass requiring a bit more before I sign your keys, but given we have 5 master keys, and we're only enforcing 3 signatures (at least at this point in the game), I am on board with requiring this. I do plan to get back to my backlog of requests soon enough. -Dan