[arch-dev-public] RFC Final Comment Period: Store PGP keys for source file signatures alongside PKGBUILDs
allan at archlinux.org
Sun Mar 27 07:46:05 UTC 2022
On 11/3/22 09:12, Allan McRae via arch-dev-public wrote:
> An RFC has now entered Final Comment Period. In 14 days, discussion will
> end and the proposal will either be accepted, rejected or withdrawn:
> Please visit the above link for discussion.
> Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array
> alongside the PKGBUILD in our VCS.
> The PGP keyserver infrastructure has become increasingly brittle over
> recent years. This can make helping with updates or rebuilds of packages
> difficult due to lack of access to the valid signing key. Having the
> signing key exported alongside the PKGBUILD would allow for anybody to
> import the key into their keyring and verify the source.
It has been 14 days, with no negative comments. The RFC is now accepted.
I will work on patches to automate this.
More information about the arch-dev-public