[aur-general] Build packages without Arch on pkgbuild.com

Levente Polyak anthraxx at archlinux.org
Sat Apr 7 11:55:43 UTC 2018


On April 7, 2018 8:23:08 AM GMT+02:00, Pierre Neidhardt via aur-general <aur-general at archlinux.org> wrote:
>
>To perform the complete operation on soyuz, we need to forward the
>gpg-socket (and the SSH socket if different) to soyuz, which defeats
>the PGP
>/ Web of Trust security model: for a person with root access to soyuz,
>the private key is only one passphrase away.
>
>Thoughts?
>

Yes, truly defeats it. I explicitly do not recommend forwarding it to the build server.
For not doing that, you will most likely need to download the final artifacts for signing. If I recall correctly we had a discussion on that topic with Bluewind, jelle and grazzolini and someone wanted to rephrase the section with better recommendations.

Cheers,
Levente 


More information about the aur-general mailing list