[aur-general] Discussion about AUR packages signing
ngoonee.talk at gmail.com
Thu Aug 7 22:19:15 EDT 2014
On Fri, Aug 8, 2014 at 10:06 AM, Dave Reisner <d at falconindy.com> wrote:
> On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
>> I want to start a discussion about AUR packages signing. If this debate
>> already happened, it means that I'm not really good with Google or
>> unfortunate in the keywords I used in my searches: in these cases
>> forgive me and just give me some pointers.
>> TL;DR I personally "trust" some AUR users who have several good-quality
>> packages, and an optional way to sign AUR packages would permit me
>> to know that I can build and update their packages without
>> worrying too much.
> I did read your proposal, but my comment can be framed in the context of
> your tl;dr:
> You don't really seem to want GPG signatures, just a whitelist of
> package maintainers by name. Any AUR helper could implement support for
> this today, with no changes to the AUR.
Which reminds me of the old bauerbill Xyne wrote, which did precisely that =)
More information about the aur-general