[aur-general] Build packages without Arch on pkgbuild.com

Morten Linderud foxboron at archlinux.org
Sat Apr 7 12:04:55 UTC 2018

On Sat, Apr 07, 2018 at 11:53:08AM +0530, Pierre Neidhardt via aur-general wrote:
> To perform the complete operation on soyuz, we need to forward the
> gpg-socket (and the SSH socket if different) to soyuz, which defeats the PGP
> / Web of Trust security model: for a person with root access to soyuz,
> the private key is only one passphrase away.

Which is why I have been working on clave[1]. It helps in the cases where build
artefacts are large and sorta useless to download after building. But it doesn't
prevent the case where a malicious root user is capable of switching the files
right after build, unless you do some additional verification after generating
the signing request. 

Since it creates signatures with the new packet style, it won't be supported
before pacman 5.1, and I plan on improving it a bit before that time.

[1]: https://github.com/Foxboron/clave 

Morten Linderud

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20180407/9593a118/attachment.asc>

More information about the aur-general mailing list