Could some key developers sign /developers and /trustedusers or create something like debian-keyring package? That would allow a transition from implicit trust to [core]+[extra] to gpg-based trust model.
Currently there is no way to verify if /developers and /trustedusers are correct, and to build a trusted initial keyring...
Srg 07:08, 17 January 2012 (EST)
I've tried to make this page more accessible for people who are setting up package signing. If anyone who is super-familiar with pacman-key could double-check the facts, I'd appreciate it. --DJPohly 18:08, 18 January 2012 (EST)