[arch-dev-public] RFC: Store PGP keys for source file signatures in SVN
Allan McRae
allan at archlinux.org
Wed Mar 2 04:19:40 UTC 2022
A new RFC (request for comment) has been opened here:
https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
Please visit the above link for discussion.
Summary:
Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array in
the trunk directory of SVN.
Motivation:
The PGP keyserver infrastructure has become increasingly brittle over
recent years. This can make helping with updates or rebuilds of packages
difficult due to lack of access to the valid signing key. Having the
signing key exported along side the PKGBUILD would allow for anybody to
import the key into their keyring and verify the source.
More information about the arch-dev-public
mailing list