[aur-general] Discussion about AUR packages signing

Fabien Dubosson fabien.dubosson at gmail.com
Fri Aug 8 02:35:45 EDT 2014

> I did read your proposal, but my comment can be framed in the context of
> your tl;dr:

You had to be motivated, afterwards it looks horribly long ;-)

> You don't really seem to want GPG signatures, just a whitelist of
> package maintainers by name. Any AUR helper could implement support for
> this today, with no changes to the AUR.

Of course, this is a working solution and can be implemented right away.

But it has not the same meaning. Maintainer's name gives me the
information that I am installing a package that claims to be provided by
this maintainer, or uploaded with this maintainer account. GPG
signatures will add the certitude that I'm installing the same package
as the maintainer wrote in person. I admit this is not happening really
often, but in some case like an AUR website weakness, an usurpation of
maintainer's identity or the intrusion of a government in "the
internet", this will offer more certitude into the packages (like for
official ones).

I can live with the current situation without problem, but IMHO,
offering the possibility to provide GPG signed packages would be a great
plus in the future.

++ Fabien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20140808/885fbbd8/attachment.asc>

More information about the aur-general mailing list