[arch-dev-public] Enforcing trusted signatures on all package uploads

[Dieter Plaetinck]

On Sat, 07 Jan 2012 18:01:12 +1000
Allan McRae <allan at archlinux.org> wrote:

> Hi,
> 
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature.  With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
> 
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done.  Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import
> and trust the master keys.
> 
> I see Pierre has already committed the needed change to dbscripts,
> they just need enabled.  Is there anything stopping this happening?
> 
> 
> FYI, the following people have packages in the repos and do not have
> the required number of master key signatures to be trusted:
> 
> [allan at gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig;
> do pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from |
> sort | uniq
> gpg: Good signature from "Jaroslav Lichtblau (trusted user)
> <dragonlord at aur.archlinux.org>"
> gpg: Good signature from "Kevin Piche <kevin at archlinux.org>"
> gpg: Good signature from "Ronald van Haren <ronald at archlinux.org>"
> gpg: Good signature from "Vesa Kaihlavirta <vegai at iki.fi>"
> 
> Allan

if they are inactive, they can fix their signatures at the time they want to be active again.
I wouldn't wait for them.

Dieter