[arch-dev-public] Urgent reminder about packager PGP keys and packages
Hi all, as mentioned mid January [1] we are currently en-route to deprecating Allan's main signing key [2]. For this purpose I have added 11 rebuild TODOs for packages signed by packager keys that have been superseded by newer ones (and should then also be removed). These packages need to be rebuilt using the new packager key (or any other valid packager key, that is not explicitly mentioned in any of the TODOs), as they block the removal of Allan's main signing key. You can do so with the help of rebuild-todo (which is part of archlinux-contrib). Have a look at its help output for all available options. Please also make sure to setup your current PGP key ID in your archweb profile, so that the information on the website [3] is correct and up-to-date. The following packagers have not yet created a new key and block the effort towards deprecating Allan's signing key as well: - bgyorgy (CE0BDE71A759A87F23F0F7D8B61DBCE10901C163) - archange (69DA34D78FE0EFD596AC6D049D893EC4DAAF9129) - arodseth (962855F072C7A01846405864FCF3C8CB5CF9C8D4) - kylekeen (48C3B1F30DDD0FE67E516D16396E3E25BAB142C1) - farseerfc (4B1DE545A801D4549BFD3FEF90CB3D62C13D4796) Please make sure to create new packager keys, have them signed by at least three main signing keys and rebuild all packages signed by the old packager key until the beginning of April. After that we will start mass-rebuilds of the remaining packages in question and commence with the revocation of Allan's key (which means that the above packager keys can not be used for packaging anymore) unless other blockers come up. If you have questions, please reach out via e-mail, or in #archlinux-staff on libera.chat. Best, David [1] https://lists.archlinux.org/pipermail/arch-dev-public/2022-January/030617.ht... [2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/148 [3] https://archlinux.org/master-keys/ -- https://sleepmap.de
participants (1)
-
David Runge