On Sat, 23 Jul 2022 at 19:39, David Runge <dave@sleepmap.de> wrote:
Packages that are signed with a key that still had marginal trust in release A (and therefore already existed on the user system since release A) and gained full trust in release B will not be updated before the user does a system upgrade. This leads to the requirement of installing archlinux-keyring before doing a system upgrade, as otherwise the key will still have marginal trust on the user system and the signatures of other updated packages using the key in question will fail to validate.
This is solvable by not cutting a release with marginally trusted keys. Having all Arch Linux installations make 100-ish requests daily to cover such an edge case is a misutilization of resources (on both sides). I'm certain there are also privacy concerns about enabling this service by default. Furthermore, I doubt our users need to the have their systems babysat like this. In the rare situation where archlinux-keyring must be updated first, the user should be able to handle it by themselves. As you said, pacman will fetch new keys using WKD so, as long as marginally trusted keys are excluded from keyring releases, there's no issue with onboarding new people. tl;dr: I'm vibing way more with continuing to rely on the archlinux-keyring package exclusively; auto-updates are sus.