[erhardm]

I'm wondering if destroying the signing keys will have legal consequences. Are signing keys considered company IP when their identity is "fused" with the main developer?

Reading online posts it seems that the community is trusting the developer, not the company behind him.

[toyg]

If those keys were generated before the company existed, and there is no explicit assignment, then they clearly belonged to him.

If they were generated later, it gets very hairy. Were they created with company resources? On company time? Is there a record of this happening? Etc etc.

Going to court would be a huge waste of money for all parties involved, at this point.

[earenndil]

His twitter says he originally generated them in 2009-2010 to submit packages to the aur. So he's probably in the clear.

[erhardm]

But if those keys represent Person A at Company X then who owns them? Can the company use them if they don't represent the truth anymore?

Who's responsibility is it to guard/change/dispose them?