[arch-dev-public] RFC Final Comment Period: Store PGP keys for source file signatures alongside PKGBUILDs
Allan McRae
allan at archlinux.org
Thu Mar 10 23:12:56 UTC 2022
An RFC has now entered Final Comment Period. In 14 days, discussion will
end and the proposal will either be accepted, rejected or withdrawn:
https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
Please visit the above link for discussion.
Summary:
Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array
alongside the PKGBUILD in our VCS.
Motivation:
The PGP keyserver infrastructure has become increasingly brittle over
recent years. This can make helping with updates or rebuilds of packages
difficult due to lack of access to the valid signing key. Having the
signing key exported alongside the PKGBUILD would allow for anybody to
import the key into their keyring and verify the source.
More information about the arch-dev-public
mailing list