On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur- dev:
This brings up a question, though:
How do we treat verified commits? Do we check these at all from a server, standpoint, or is it purely for consumers?
I already sign my AUR commits, and I can verify them:
(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2 gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST gpg: using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3 gpg: Good signature from "Kevin Morris (kevr) <kevr@0cost.org>" [ultimate]
So this seems to already be possible. Are we looking for some kind of AUR package webview visible Verified tag that shows when HEAD is verified?
I'd like to have a "Verified" badge in order to encourage signing.
As AURWeb uses cgit to display git commits, showing a verified badge should be implemented upstream. [1] [1] https://git.zx2c4.com/cgit/about/