[2012-11-20 20:48:42 -0800] Jesus Alvarez:
The reason I ask this is because I created two signed repositories for some packages I maintain, zfs and netflix-desktop. They do have usage, and in my forum posts, people seem to really appreciate the availability of the repo. However, I am not a TU, so my keys are not signed by any of the master keys. I don't want to contribute to a bad habit of not checking package sources before installing something from some repo. When I brought the topic up in #archlinux, there was some concern I was using a repo and not solely relying on AUR.
Having your personal repository in open access is great! It is always nice to upload to the AUR the sources of those packages that you expect will be of use to other people, but that can perfectly well be done on top of putting them in your personal repository. In my opinion it is entirely up to people who install packages from your repository to verify their quality; the only thing you can do is make it easier for them by making the sources available, publishing your signing key at many places, etc. (And you seem to say you have been doing that.) I would just additionally recommend putting a short banner at the root of your repository to act both as a short howto and legal statement; here is mine for instance: http://arch.vesath.org/00.README.TXT That's it. There are no official guidelines or anything like that, and the above is the only etiquette I can think of. Cheers. -- Gaetan