On Sat, 07 Jan 2012 18:01:12 +1000 Allan McRae <allan@archlinux.org> wrote:

Hi,

I think it is about time that we started enforcing that all package uploads are signed by a trusted signature. With the way our web-of-trust works, that means anybody without their keys signed by at least three of the Arch Linux Master Keys will no longer be able to upload packages.

All master keys holders have been available for key signing for over a month (some nearer to two months...) so there has been plenty of opportunity to have this done. Enforcing all signatures are trusted means anyone using signature checking in pacman only needs to import and trust the master keys.

I see Pierre has already committed the needed change to dbscripts, they just need enabled. Is there anything stopping this happening?

FYI, the following people have packages in the repos and do not have the required number of master key signatures to be trusted:

[allan@gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig; do pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from | sort | uniq gpg: Good signature from "Jaroslav Lichtblau (trusted user) <dragonlord@aur.archlinux.org>" gpg: Good signature from "Kevin Piche <kevin@archlinux.org>" gpg: Good signature from "Ronald van Haren <ronald@archlinux.org>" gpg: Good signature from "Vesa Kaihlavirta <vegai@iki.fi>"

Allan

if they are inactive, they can fix their signatures at the time they want to be active again. I wouldn't wait for them. Dieter

Am 07.01.2012 09:01, schrieb Allan McRae:

I see Pierre has already committed the needed change to dbscripts, they just need enabled. Is there anything stopping this happening?

Good question. I installed pacman 4 on both gerolde and sigurd and set up a keyring. I set up the trusted master keys. All we need is for Pierre to give us the green light on his repo and pull it on both servers. I've been in Pierre's ears about this for two weeks - I have no idea what's holding this back.