Hi all, if you are a main signing key holder or a packager for Arch Linux, please read this mail very carefully! We are currently blocked from releasing a new version of archlinux-keyring, as a release would imply demoting a few packager keys to marginal trust (aka. not enough signatures from our signing keys to be allowed to package). Some of these marginal trust keys still (or again...) have packages in the repositories. All in all the keyring is not in very good shape due to missing revocations or signatures (and broken keys that block us from updating to a newer gnupg version, but that is for another email). Blocking the release of archlinux-keyring for this long is problematic in several ways: * existing keys that need to be updated are blocked from being released to the users and packages may need to be rebuilt if keys expire on user systems (which leads to manual action to install the keyring first, etc.) * new keys can not be released to the users (blocking packagers from packaging, leading to many outdated packages that need to be taken over by other packagers) * the updated trust status of revoked keys can not be released to the users (allowing old keys to still package) # Marginal trust keys There are currently 25(!) marginal trust keys in the keyring, some of which are old and superseded by new keys (I had to manually assign which of the keys are old/new/current for the below overview). ``` alucryd 9437DD3815A7A9169E3D3946AFF5D95098BC6FF5 ~ marginal - old andrewSC 601F20F1D1BBBF4A78CF5B6DF6B1610B3ECDBC9F ~ marginal - current arodseth 8A9BC5819C54FEB3DC2A9B48C32217F6F13FF192 ~ marginal - old arodseth 962855F072C7A01846405864FCF3C8CB5CF9C8D4 ~ marginal - new cbehan 6EA3F3F3B9082632A9CBE931D53A0445B47A0DAB ~ marginal - old coderobe 54EB4D6DB209862C8945CACCED84945B35B2555C ~ marginal - current dbermond 3FFA6AB7B69AAE6CCA263DDE019A7474297D8577 ~ marginal - old djgera 0F334D8698881578F65D2AE55ED514A45BD5C938 ~ marginal - old escondida CB33B736591A9CA06098A9A5FCAC9CF5A6EE1209 ~ marginal - old farseerfc 4B1DE545A801D4549BFD3FEF90CB3D62C13D4796 ~ marginal - old ibiru F4DDD6DDCEC320B665F502AAE8F18BA1615137BC ~ marginal - old jlichtblau 38EDD1886756924E1224E49524E4CDB0013C2580 ~ marginal - current jsteel 8742F7535E7B394A1B048163332C9C40F40D2072 ~ marginal - current juergen 355BDB97ED4724E6B3A450E7A3D9562A589874AB ~ marginal - old kgizdov 4BE61D684CB4E31741614E7089AA27231C530226 ~ marginal - old kkeen 48C3B1F30DDD0FE67E516D16396E3E25BAB142C1 ~ marginal - current maximbaz EB4F9E5A60D32232BB52150C12C87A28FEAC6B20 ~ marginal - old mtorromeo 2C118C620F02DB9AC1D0F9FA94DD2393DA2EE423 ~ marginal - old muflone C521846436D75A3294795B27B4360204B250F0D3 ~ marginal - old nicohood 97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161 ~ marginal - current spupykin 3E518BF2526FD1979E8AAE4965C110C1EA433FC7 ~ marginal - old tensor5 A9B6710D760F6617C530746EC847B6AEB0544167 ~ marginal - old thomas A314827C4E4250A204CE6E13284FC34C8E4B1A25 ~ marginal - old wild 0E87D6C3F9AF7FDED0C8588D22E3B67B4A86FDE7 ~ marginal - old xyne EC3CBE7F607D11E663149E811D1F0DC78F173680 ~ marginal - old ``` # Revoking "old" marginal trust keys Revoking these "old" keys is *very important* so that `keyringctl` properly assigns trust to the packager keys (no old key should be fully trusted or have marginal trust) and helps a lot in figuring out which keys need immediate attention going forward (because they are new or current keys!). As I have gotten mostly no reply from signing key holders in regards to this, I hereby ask Florian, Pierre and Levente to please revoke keys that need revoking [1] *now* and make sure that the revocation certificates are merged into the archlinux-keyring repository. The amount of open tickets is increasing and it makes working with the keyring more and more difficult if no action is taken! # Rebuilding packages of "old" marginal trust keys For some packager keys the process of rebuilding their packages has already been started more than four months ago [2], some of which are completed, but there are still some left [3][4][5]. I have checked the list of "old" marginal keys to see whether there are any packages in the repositories signed by them ([6]) and have created rebuild TODOs for any that needed them. # **IMPORTANT**: Rebuilding packages of "current" marginal trust keys If by Friday, 2022-07-15 20:00 CEST the marginal trust status of the "current" keys is not improved to fully trusted, the packages in the repositories signed by them will be rebuilt and a new version of archlinux-keyring will be released as soon as that is done (2022-07-16 or 2022-07-17 depending on availability). Help with any upcoming rebuilds will be very much appreciated! This means those "current" keys can not be used for packaging anymore. If you are the holder of an affected key or a main signing key holder, please communicate this accordingly, so that the key can be signed and a signature be merged in time! # Setting up packager keys for archweb If you are the holder of a packager key, please make sure to select your "current" or "new" packager key in your archweb profile, so that the signature status [7] is displayed correctly. We have *a lot* of keys that are not setup correctly. # New main signing key: Jonas Witschel Last but not least, I would like to thank Jonas for stepping up and taking on the responsibility of main signing key for Arch Linux [8]. Most, if not all packagers should by now have received a verification email by him :) Best, David [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/?label_nam... [2] https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.or... [3] https://archlinux.org/todo/rebuild-packages-signed-by-48c3b1f30ddd0fe67e516d... [4] https://archlinux.org/todo/rebuild-packages-signed-by-9437dd3815a7a9169e3d39... [5] https://archlinux.org/todo/rebuild-packages-signed-by-4b1de545a801d4549bfd3f... [6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/f... [7] https://archlinux.org/master-keys/ [8] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/commit/42ca7f2c5e... -- https://sleepmap.de