Arch Linux impacted by new defaults in 2.2.17

Wiktor Kwapisiewicz wiktor at
Fri Jul 12 15:10:43 CEST 2019


I just saw the following bug reported in Arch Linux repos:

with the title "[gnupg] 2.2.17 release is broken by design and breaks 

It appears Arch's packages use Web of Trust for introducing new 
developers by adding 3 signatures out of 5 (or 6) marginally trusted 
Master Signing Keys: and thus 
they depend on these signatures to be there.

Quoting the bug report:

> By default, pacman itself will try to look up keys which it does not know about yet, and download them with the master key signatures in order to validate signed packages/repositories. 

Would deploying WKD on and making signatures with --sender 
preserve third-party-signatures that they depend on?

Kind regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 919 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list