[aur-general] GPG Key Signing

Gaetan Bisson bisson at archlinux.org
Thu Dec 1 17:08:37 EST 2011

[2011-12-01 09:08:39 -0600] Thomas Dziedzic:
> I don't think anyone has actually verified that any of the given names
> are real names.

Well, actually, CAcert (which Dan relies on) is all about verifying
people's actual identity, in particular their name and birth date.

> What's important is that you're verified that you use the key to sign
> your packages in case someone does get compromised or decides to go
> rogue, then we will have a way to easily track which packages should
> become void.

That feature was already achieved by permissions on gerolde/sigurd...
The whole point of package signing is to neutralize attacks against our
repositories (our servers but also third-party mirrors).

Now those inaccuracies are out of the way:

I find Dan's verification requirements quite reasonable, and I am
pleased he takes a different approach than other master key holders:
what would be the point of everyone verifying the same thing?

Yes, that Xyne person (well, it could even be a group of people, for all
we know) has pushed good packages to the repos, but developers and
trusted users are not just package producing machines, and it doesn't
strike me as odd that a distro expects a little transparency from them.

Of course, that is only my opinion: verification policy is for each
master key holder to decide individually - that's what they were
entrusted with when they were selected.


More information about the aur-general mailing list