[aur-general] Discussion about AUR packages signing

Dave Reisner d at falconindy.com
Thu Aug 7 22:06:52 EDT 2014

On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
> Hi,
> I want to start a discussion about AUR packages signing. If this debate
> already happened, it means that I'm not really good with Google or
> unfortunate in the keywords I used in my searches: in these cases
> forgive me and just give me some pointers.
> TL;DR I personally "trust" some AUR users who have several good-quality
>       packages, and an optional way to sign AUR packages would permit me
>       to know that I can build and update their packages without
>       worrying too much.

I did read your proposal, but my comment can be framed in the context of
your tl;dr:

You don't really seem to want GPG signatures, just a whitelist of
package maintainers by name. Any AUR helper could implement support for
this today, with no changes to the AUR.


More information about the aur-general mailing list