From b374b7e3e653750d1f3c801ee78c111f591c444c Mon Sep 17 00:00:00 2001
From: Justin Kromlinger <hashworks@archlinux.org>
Date: Sun, 2 May 2021 16:37:31 +0200
Subject: [PATCH] Arch Linux: Add note on lsign-key

Related Issue:
https://gitlab.archlinux.org/archlinux/archlinux-docker/-/issues/18
---
 archlinux/content.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/archlinux/content.md b/archlinux/content.md
index c7786a5bd..0e66b1fea 100644
--- a/archlinux/content.md
+++ b/archlinux/content.md
@@ -21,6 +21,8 @@ This image is intended to serve the following goals:
 -	`pacman` needs to work out of the box
 -	All installed packages have to be kept unmodified
 
+> ⚠️⚠️⚠️ NOTE: For Security Reasons, these images strip the pacman lsign key. This is because the same key would be spread to all containers of the same image, allowing for malicious actors to inject packages (via, for example, a man-in-the-middle). In order to create an lsign-key run `pacman-key --init` on the first execution, but be careful to not redistribute that key. ⚠️⚠️⚠️
+
 ## Availability
 
 Root filesystem tarballs are [provided by our GitLab](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/releases) for at least two months.