[aur-general] Discussion about AUR packages signing

Martti Kühne mysatyre at gmail.com
Fri Aug 8 02:53:51 EDT 2014

On Fri, Aug 8, 2014 at 8:35 AM, Fabien Dubosson
<fabien.dubosson at gmail.com> wrote:
> [...]
> But it has not the same meaning. Maintainer's name gives me the
> information that I am installing a package that claims to be provided by
> this maintainer, or uploaded with this maintainer account. GPG
> signatures will add the certitude that I'm installing the same package
> as the maintainer wrote in person. I admit this is not happening really
> often...

Well, I don't see how this idea is supposed to be compatible with what
I see as the benefits of the AUR...

I love that I can make changes and proceed doing so in the course of
building and installing a PKGBUILD from the AUR. So the PKGBUILDs I
usually install aren't cryptographically similar to the package AUR
would provide, deeming any cryptographic signing mechanism useless.
The official wording of the AUR - unsupported, not to be fully trusted
content - leads to the fact that any AUR helper should notify you of
this fact every time you use the AUR and offer you editing between any
and all of the files involved.


More information about the aur-general mailing list