[arch-dev-public] RFC Final Comment Period: Store PGP keys for source file signatures alongside PKGBUILDs
An RFC has now entered Final Comment Period. In 14 days, discussion will end and the proposal will either be accepted, rejected or withdrawn: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11 Please visit the above link for discussion. Summary: Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array alongside the PKGBUILD in our VCS. Motivation: The PGP keyserver infrastructure has become increasingly brittle over recent years. This can make helping with updates or rebuilds of packages difficult due to lack of access to the valid signing key. Having the signing key exported alongside the PKGBUILD would allow for anybody to import the key into their keyring and verify the source.
On 11/3/22 09:12, Allan McRae via arch-dev-public wrote:
An RFC has now entered Final Comment Period. In 14 days, discussion will end and the proposal will either be accepted, rejected or withdrawn:
https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
Please visit the above link for discussion.
Summary: Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array alongside the PKGBUILD in our VCS.
Motivation: The PGP keyserver infrastructure has become increasingly brittle over recent years. This can make helping with updates or rebuilds of packages difficult due to lack of access to the valid signing key. Having the signing key exported alongside the PKGBUILD would allow for anybody to import the key into their keyring and verify the source.
It has been 14 days, with no negative comments. The RFC is now accepted. I will work on patches to automate this. Allan
participants (1)
-
Allan McRae