Hi everyone, How about the following news item? ======== Title: Having pacman verify packages Over the past six months, pacman has had package verification features, although they were turned off while we were still figuring out the details of our public-key infrastructure. This work has resulted in the <a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a> which contains all the data you need to authenticate packages as made by official Arch packagers (developers and trusted users). Having pacman verify packages is now as easy as doing: pacman -Syu archlinux-keyring pacman-key --init pacman-key --populate archlinux The archlinux-keyring package contains five master keys that are used to authenticate official Arch packagers, so you do not need to know who joins or leave the team: you just have to verify those five master keys once and for all. This last command will prompt you to do so; please do this cautiously by checking the fingerprints displayed against <a href="https://www.archlinux.org/master-keys/">those published on our website</a>. Then, set the following in your pacman.conf: SigLevel = PackageRequired TrustedOnly And you should be good to go! For more details on the development of pacman and archlinux-keyring, see the blog posts of <a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a> and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>. ======== Cheers. -- Gaetan