[arch-dev-public] Urgent reminder about packager PGP keys and packages

David Runge dave at sleepmap.de
Thu Feb 24 19:53:00 UTC 2022


Hi all,

as mentioned mid January [1] we are currently en-route to deprecating
Allan's main signing key [2].

For this purpose I have added 11 rebuild TODOs for packages signed by
packager keys that have been superseded by newer ones (and should then
also be removed). These packages need to be rebuilt using the new
packager key (or any other valid packager key, that is not explicitly
mentioned in any of the TODOs), as they block the removal of Allan's
main signing key.

You can do so with the help of rebuild-todo (which is part of
archlinux-contrib). Have a look at its help output for all available
options.

Please also make sure to setup your current PGP key ID in your archweb
profile, so that the information on the website [3] is correct and
up-to-date.


The following packagers have not yet created a new key and block the
effort towards deprecating Allan's signing key as well:

- bgyorgy (CE0BDE71A759A87F23F0F7D8B61DBCE10901C163)
- archange (69DA34D78FE0EFD596AC6D049D893EC4DAAF9129)
- arodseth (962855F072C7A01846405864FCF3C8CB5CF9C8D4)
- kylekeen (48C3B1F30DDD0FE67E516D16396E3E25BAB142C1)
- farseerfc (4B1DE545A801D4549BFD3FEF90CB3D62C13D4796)

Please make sure to create new packager keys, have them signed by at
least three main signing keys and rebuild all packages signed by the old
packager key until the beginning of April.
After that we will start mass-rebuilds of the remaining packages in
question and commence with the revocation of Allan's key (which means
that the above packager keys can not be used for packaging anymore)
unless other blockers come up.

If you have questions, please reach out via e-mail, or in
#archlinux-staff on libera.chat.

Best,
David

[1] https://lists.archlinux.org/pipermail/arch-dev-public/2022-January/030617.html
[2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/148
[3] https://archlinux.org/master-keys/

-- 
https://sleepmap.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20220224/ab66377f/attachment.sig>


More information about the arch-dev-public mailing list