First, i need to make an announcement for users about the installation of obcommunity-keyring package. You're quicker than me guys 🙂.
cdop installing packages from obcommunity is always a very deliberate (rather than accidental) action, because it requires two steps (uncommenting the repo and installing the keyring);
the steps are still individually trivial, which means that installing packages from obcommunity is deliberate but not a headache.
obcommunity-keyring is managed in the same way as obarun-keyring; same procedure, same infrastructure.
You fully understood my point.
By default, maintainer do not need to incorporate a personnal GPG key. The obcommunity group provide a sane GPG_SIGN_KEY variable for each obcommunity project. This is avoid the "> cdop maintainers can see each other's private keys issue".
But i let the ability to maintainers to provide their own key if they want. In this case, the maintainer need to update the obcommunity-keyring.
As obcommunity is a none official repo, we have no reason to provide the keyring from the obextra repo. For sure it will be easier for user to use the obcommunity repo but as you said @cdop this force the user to understand the risks.
Well, if you have already set a GPG_SIGN_KEY CI/CD variable at your project, consider to remove it, or do not forget to make change at obcommunity-keyring project.
prototype-pkg template documentation changes