Hello, I just saw the following bug reported in Arch Linux repos: https://bugs.archlinux.org/task/63147
with the title "[gnupg] 2.2.17 release is broken by design and breaks pacman".
It appears Arch's packages use Web of Trust for introducing new developers by adding 3 signatures out of 5 (or 6) marginally trusted Master Signing Keys: https://www.archlinux.org/master-keys/ and thus they depend on these signatures to be there.
Quoting the bug report:
By default, pacman itself will try to look up keys which it does not know about yet, and download them with the master key signatures in order to validate signed packages/repositories.
Would deploying WKD on archlinux.org and making signatures with --sender preserve third-party-signatures that they depend on?
Kind regards, Wiktor -- https://metacode.biz/@wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
