[aur-general] Discussion about AUR packages signing

[Fabien Dubosson]

> I love that I can make changes and proceed doing so in the course of
> building and installing a PKGBUILD from the AUR. So the PKGBUILDs I
> usually install aren't cryptographically similar to the package AUR
> would provide, deeming any cryptographic signing mechanism useless.

The idea of signing packages sources is not to prevent modifying or
installing modified packages nor to verify signatures of built packages.

It would only check that the `*.tar.gz` you received from AUR has been
signed by the maintainer, thus have not been modified by anyone else
in-between. Once the sources are verified, is up to the user to do
modifications and build packages. But at least you have the certainty
about the original PKGBUILD author and source files content.

> The official wording of the AUR - unsupported, not to be fully trusted
> content - leads to the fact that any AUR helper should notify you of
> this fact every time you use the AUR and offer you editing between any
> and all of the files involved.

Any AUR helper will still notify people that they are using unsupported
packages and will do exactly the same building process as now.

But users would have the possibility:

  1. To verify the author and the content of a package source (if they
     want and if available).
  2. To personally/locally trust a maintainer hence simplifying
     the package management/updates. (Also see Daniel Micay answer)

Regards,
++ Fabien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20140808/210245fd/attachment.asc>