[arch-general] Unofficial Repository Guidelines

Gaetan Bisson bisson at archlinux.org
Wed Nov 21 00:39:53 EST 2012

[2012-11-20 20:48:42 -0800] Jesus Alvarez:
> The reason I ask this is because I created two signed repositories for some
> packages I maintain, zfs and netflix-desktop. They do have usage, and in my
> forum posts, people seem to really appreciate the availability of the repo.
> However, I am not a TU, so my keys are not signed by any of the master
> keys. I don't want to contribute to a bad habit of not checking package
> sources before installing something from some repo. When I brought the
> topic up in #archlinux, there was some concern I was using a repo and not
> solely relying on AUR.

Having your personal repository in open access is great!

It is always nice to upload to the AUR the sources of those packages
that you expect will be of use to other people, but that can perfectly
well be done on top of putting them in your personal repository.

In my opinion it is entirely up to people who install packages from your
repository to verify their quality; the only thing you can do is make it
easier for them by making the sources available, publishing your signing
key at many places, etc. (And you seem to say you have been doing that.)

I would just additionally recommend putting a short banner at the root
of your repository to act both as a short howto and legal statement;
here is mine for instance:


That's it. There are no official guidelines or anything like that, and
the above is the only etiquette I can think of.



More information about the arch-general mailing list