Am Montag, dem 04.04.2022 um 10:20 +0200 schrieb Jelle van der Waa via aur-dev:
On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur- dev:
This brings up a question, though:
How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers?
I already sign my AUR commits, and I can verify them:
(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate]
So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified?
I'd like to have a "Verified" badge in order to encourage signing.
As AURWeb uses cgit to display git commits, showing a verified badge should be implemented upstream. [1]
I'd like that badge to have a prominent place on the AUR package pages not hidden away in the Git commit display (I didn't even know that this existed so far). E.g. right under the "Git clone URL" there could be a "HEAD commit: Signed by package maintainer" or "HEAD commit: Unsigned/unknown signature" line to indicate that the latest commit was or wasn't signed with an SSH or PGP key of one of the maintainers of the package. Cheers, Basti