[Dev] New packaging standards/policy discussion

Michał Masłowski mtjm at mtjm.eu
Sat Aug 1 07:34:09 GMT 2015


> I don't see any way around this yet. You could do this in batch if
> desired.
> parallel gpg --default-key [yourkey] -b ::: PKGBUILD
>
> If people are using abs it pulls PKGBUILD and related source files,
> adding a .sig allows abs users to validate the PKGBUILD was created by
> the claimed PKBUILD Maintainer.

PKGBUILDs should not be edited only by their maintainers.  If abs is
insecure, we should deprecate abs, not make git merges and rebases
require manual work of fixing the signatures.

> Even then unless the git is signed it'll be very hard
> to determine how that happened since everyone is using the same git
> user, and it would be trivially easy to spoof username in gitconfig
> should an attacker actually gain access.

But you want people to sign commits with their GPG keys?

> Regarding the code review, thankfully gpg is pretty straight forward
> since we can use --verify. 

Code review means that someone else would read the git patch and
approve it before the package is uploaded.  Yes, this procedure makes
the (nonexistent) review harder.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150801/cf4927de/attachment.sig>


More information about the Dev mailing list