[Dev] New packaging standards/policy discussion

[fauno]

Icarious <icarious at hacari.org> writes:

>> i don't see why signing the pkgbuild is required when signing the whole
>> commit achieves the same thing and is easily verifiable with: git pull
>> --rebase --verify-signatures
>
> I think every time we talk on exclusively basing a design just cause we have git, we must remember that its not only Parabola PKGBUILDs we deal with. Most of our PKGBUILDs are inclusive of Packages from Arch too and abslibre `does not` clone them at all. So the user is left with either 1) use abs, 2) Go to Arch's git web interface and individually download them. 
>
> This argument has been discussed before and I have repeatedly brought it to everyone's attention that we can't have an inconsistent solution like "use git for Parabola's PKGBUILDs,  and use Arch's git interface (which does have PKGBUILDs of non-free packages too) for majority of the packages that come from [core], [extra] and [community]". This is a very dirty way of source code management. So before anyone suggests in "IGNORING" abs completely cause " we have git " please do remember the PKGBUILDs that come from Arch. Unless we fix that part, abs remains the "consistent" method of downloading PKGBUILDs without confusing the user and referring them to the non-free arch git interface, and is henceforth important to sign pkgbuilds too.  

should we sign pkgbuilds from arch then?

-- 
.oÓ)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/c08d72b1/attachment.sig>