7 Apr
2018
7 Apr
'18
11:55 a.m.
On April 7, 2018 8:23:08 AM GMT+02:00, Pierre Neidhardt via aur-general <aur-general@archlinux.org> wrote:
To perform the complete operation on soyuz, we need to forward the gpg-socket (and the SSH socket if different) to soyuz, which defeats the PGP / Web of Trust security model: for a person with root access to soyuz, the private key is only one passphrase away.
Thoughts?
Yes, truly defeats it. I explicitly do not recommend forwarding it to the build server. For not doing that, you will most likely need to download the final artifacts for signing. If I recall correctly we had a discussion on that topic with Bluewind, jelle and grazzolini and someone wanted to rephrase the section with better recommendations. Cheers, Levente