[arch-dev-public] IMPORTANT: New procedures regarding PGP key signatures

Thomas Bächler thomas at archlinux.org
Sun Sep 29 09:54:24 EDT 2013

In order to organize the keyring management better, we will now follow
new procedures for managing signatures:


Whenever a new developer or TU joins the team, the developer responsible
for adding him/her or the TU sponsor (whatever is appropriate) has to
open a new task with the "New Key" type in the "Keyring" project on the
bug tracker. In that task, the following must be listed:

1) Bug tracker user name of the new dev/TU
2) PGP fingerprint
3) Any links to relevant discussion threads or similar

In addition, the information 1) and 2) must be written into a plain-text
file, signed with gpg --sign (using a valid packager key) and attached
to the bug report.

A master key holder can then add the new user to the "Members" group of
the "Keyring" project, so he/she can comment and provide additional
information (you should all be members of that group and thus be able to
see the Keyring project, if anyone isn't, please tell me).


Whenever a TU resigns or a developer leaves the team (or is forcefully
removed from the team), a task with the "Key Removal" type must be
opened in the "Keyring" project to schedule revocation of the key and
necessary rebuilds.

A master key holder should remove the user from the "Members" group.


Any other issues regarding key signatures should be stated in a task
with the "Other" type in the "Keyring" project.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20130929/070e0efa/attachment.asc>

More information about the arch-dev-public mailing list