SSH commit signatures on AUR
PedanticDM
pedanticdm at gmx.us
Sat Mar 5 05:20:29 UTC 2022
On 3/2/22 11:38 AM, Sebastian Wiesner via aur-dev wrote:
> For this to work AUR would need to publicly expose SSH keys in user
> profile packages, which definitely requires some care wrt to privacy.
Github (and Gitlab) both expose users' public ssh and pgp keys to the
web. Take me for example, though you could search&replace with any valid
username:
* https://github.com/pedanticdm.keys
* https://github.com/pedanticdm.gpg
(I'm most familiar with Github, hence this and a future example).
Waxing pedantic, I'm not sure how many "privacy" concerns exist in this
space since we're dealing in public keys (it's in the name). Trust and
integrity (cough SKS keyservers cough) are the prominent concerns in my
mind.
> But if there's interest in the feature, I'd be happy to start working
> on a patch to aurweb to contribute this feature.
I see some value in it. Nothing fancy would be required. Github, for
instance, presents a "verified" tag alongside every commit signed by
UserA with the public key UserA uploaded to their account, plus a commit
Author field with correct data. And, in Vigilant Mode, you get scary
"unverified" and discomforting "partially verified" tags as well. ^_^
Have a good weekend, everyone! Cheers!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-dev/attachments/20220304/d06b3454/attachment.sig>
More information about the aur-dev
mailing list