On 25/6/22 21:44, Jonas Witschel wrote: <snip>
Therefore without being able to specify more detailed key usage policies in the PKGBUILD, trusting any valid signature seems to be a reasonable default, and is also in line with the current approach of trusting *any* of the keys in the validpgpkeys array.
Somewhat offtopic - I'd argue that it is poor packaging to have more validpgpkeys in a PKGBUILD than the key used to verify the source for that particular package version. Lazily just adding more keys to a PKGBUILD and not removing unneeded ones in case they are needed in the future is not ideal. <snip>
Therefore I would argue that having such a threshold would be more of an improvement that could be based on v2 of the patch rather than a separate implementation: it could be easily achieved by changing arrays_intersect() to return the number of elements in the intersection and to compare that number with a new threshold variable specified in the PKGBUILD (which would default to 1 if unset in order to be backwards compatible).
How about... all signatures from trusted keys (either through PGP web of trust, or via being in validpgpkeys) need to validate? That does not solve the rogue maintainer issue (it is up to a packager to ask why the number of signatures dropped...), but it does address not needing to validate a legacy key. Allan