Enforcing trusted signatures on all package uploads
On Sat, Jan 7, 2012 at 2:01 AM, Allan McRae <email@example.com> wrote:
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature. *With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done. *Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import and
> trust the master keys.
I realize I'm the pain in the ass requiring a bit more before I sign
your keys, but given we have 5 master keys, and we're only enforcing 3
signatures (at least at this point in the game), I am on board with
requiring this. I do plan to get back to my backlog of requests soon