On April 7, 2018 8:23:08 AM GMT+02:00, Pierre Neidhardt via aur-general email@example.com wrote:
To perform the complete operation on soyuz, we need to forward the gpg-socket (and the SSH socket if different) to soyuz, which defeats the PGP / Web of Trust security model: for a person with root access to soyuz, the private key is only one passphrase away.
Yes, truly defeats it. I explicitly do not recommend forwarding it to the build server. For not doing that, you will most likely need to download the final artifacts for signing. If I recall correctly we had a discussion on that topic with Bluewind, jelle and grazzolini and someone wanted to rephrase the section with better recommendations.