On Fri, Aug 8, 2014 at 10:06 AM, Dave Reisner email@example.com wrote:
On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
I want to start a discussion about AUR packages signing. If this debate already happened, it means that I'm not really good with Google or unfortunate in the keywords I used in my searches: in these cases forgive me and just give me some pointers.
TL;DR I personally "trust" some AUR users who have several good-quality packages, and an optional way to sign AUR packages would permit me to know that I can build and update their packages without worrying too much.
I did read your proposal, but my comment can be framed in the context of your tl;dr:
You don't really seem to want GPG signatures, just a whitelist of package maintainers by name. Any AUR helper could implement support for this today, with no changes to the AUR.
Which reminds me of the old bauerbill Xyne wrote, which did precisely that =)