On 3/2/22 11:38 AM, Sebastian Wiesner via aur-dev wrote:
For this to work AUR would need to publicly expose SSH keys in user profile packages, which definitely requires some care wrt to privacy.
Github (and Gitlab) both expose users' public ssh and pgp keys to the web. Take me for example, though you could search&replace with any valid username: * https://github.com/pedanticdm.keys * https://github.com/pedanticdm.gpg (I'm most familiar with Github, hence this and a future example). Waxing pedantic, I'm not sure how many "privacy" concerns exist in this space since we're dealing in public keys (it's in the name). Trust and integrity (cough SKS keyservers cough) are the prominent concerns in my mind.
But if there's interest in the feature, I'd be happy to start working on a patch to aurweb to contribute this feature.
I see some value in it. Nothing fancy would be required. Github, for instance, presents a "verified" tag alongside every commit signed by UserA with the public key UserA uploaded to their account, plus a commit Author field with correct data. And, in Vigilant Mode, you get scary "unverified" and discomforting "partially verified" tags as well. ^_^ Have a good weekend, everyone! Cheers!