On Sat, 07 Jan 2012 18:01:12 +1000
Allan McRae <allan@archlinux.org> wrote:
> Hi,
>
> I think it is about time that we started enforcing that all package
> uploads are signed by a trusted signature. With the way our
> web-of-trust works, that means anybody without their keys signed by at
> least three of the Arch Linux Master Keys will no longer be able to
> upload packages.
>
> All master keys holders have been available for key signing for over a
> month (some nearer to two months...) so there has been plenty of
> opportunity to have this done. Enforcing all signatures are trusted
> means anyone using signature checking in pacman only needs to import
> and trust the master keys.
>
> I see Pierre has already committed the needed change to dbscripts,
> they just need enabled. Is there anything stopping this happening?
>
>
> FYI, the following people have packages in the repos and do not have
> the required number of master key signatures to be trusted:
>
> [allan@gerolde ~]$ for i in /srv/ftp/pool/{packages,community}/*.sig;
> do pacman-key --verify $i; done 2>&1 | grep -B1 WARNING | grep from |
> sort | uniq
> gpg: Good signature from "Jaroslav Lichtblau (trusted user)
> <dragonlord@aur.archlinux.org>"
> gpg: Good signature from "Kevin Piche <kevin@archlinux.org>"
> gpg: Good signature from "Ronald van Haren <ronald@archlinux.org>"
> gpg: Good signature from "Vesa Kaihlavirta <vegai@iki.fi>"
>
> Allan
if they are inactive, they can fix their signatures at the time they want to be active again.
I wouldn't wait for them.
Dieter
Enforcing trusted signatures on all package uploads
