[arch-dev-public] Enforcing trusted signatures on all package uploads

Allan McRae allan at archlinux.org
Sat Jan 7 03:01:12 EST 2012


I think it is about time that we started enforcing that all package
uploads are signed by a trusted signature.  With the way our
web-of-trust works, that means anybody without their keys signed by at
least three of the Arch Linux Master Keys will no longer be able to
upload packages.

All master keys holders have been available for key signing for over a
month (some nearer to two months...) so there has been plenty of
opportunity to have this done.  Enforcing all signatures are trusted
means anyone using signature checking in pacman only needs to import and
trust the master keys.

I see Pierre has already committed the needed change to dbscripts, they
just need enabled.  Is there anything stopping this happening?

FYI, the following people have packages in the repos and do not have the
required number of master key signatures to be trusted:

[allan at gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig; do
pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from | sort
| uniq
gpg: Good signature from "Jaroslav Lichtblau (trusted user)
<dragonlord at aur.archlinux.org>"
gpg: Good signature from "Kevin Piche <kevin at archlinux.org>"
gpg: Good signature from "Ronald van Haren <ronald at archlinux.org>"
gpg: Good signature from "Vesa Kaihlavirta <vegai at iki.fi>"


More information about the arch-dev-public mailing list