[arch-dev-public] Enforcing trusted signatures on all package uploads
Dan McGee
dpmcgee at gmail.com
Sat Jan 7 10:54:45 EST 2012
On Sat, Jan 7, 2012 at 2:01 AM, Allan McRae <allan at archlinux.org> wrote:
> Hi,
>
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature. With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
>
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done. Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import and
> trust the master keys.
I realize I'm the pain in the ass requiring a bit more before I sign
your keys, but given we have 5 master keys, and we're only enforcing 3
signatures (at least at this point in the game), I am on board with
requiring this. I do plan to get back to my backlog of requests soon
enough.
-Dan
More information about the arch-dev-public
mailing list