McGee: The real story behind Arch Linux package signing
McGee: The real story behind Arch Linux package signing
On his blog, Arch Linux developer (and Pacman lead) Dan McGee strongly disagrees with an LWN article on the lack of Arch Linux package signing (from this week's Security page). In the posting, he covers the history of the feature in great detail. "You can imagine at this point, a year down the road from the first patches, none of the primary pacman developers are very interested in implementing this themselves. Perhaps this is true, with the ironic twist that more than half of the patches on our long-lived gpg branch are from the three main contributors. I think the most truthful statement is that no one wanted to take the lead on this and finish it by themselves. At this point, the work is nearly where it stands today, as most of the additional work I merged in the last few days was simply bitrot cleanups (aside from pacman-key). However, nowhere have you seen any sense of 'even if you produce good work and get things finished we won't take it' attitudes from Allan [McRae] or I.
"