Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure.

They have been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:

	pacman-key --init
	pacman-key --populate archlinux

This sets up a pacman keyring, and populates it with all the data needed to
authenticate packages as made by official Arch packagers (developers and
trusted users). This consists in particular of five master keys used to
authenticate official Arch packagers, so you do not need to know who joins or
leave the team: you just have to verify those five master keys once and for
all. This last command will prompt you to do so; please do this cautiously by
checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, merge your pacman.conf with pacman.conf.new, that is, enable package
verification through the SigLevel option, and you should be good to go.

For more details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.