On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
I want to start a discussion about AUR packages signing. If this debate already happened, it means that I'm not really good with Google or unfortunate in the keywords I used in my searches: in these cases forgive me and just give me some pointers.
TL;DR I personally "trust" some AUR users who have several good-quality packages, and an optional way to sign AUR packages would permit me to know that I can build and update their packages without worrying too much.
I did read your proposal, but my comment can be framed in the context of your tl;dr:
You don't really seem to want GPG signatures, just a whitelist of package maintainers by name. Any AUR helper could implement support for this today, with no changes to the AUR.