[Dev] New packaging standards/policy discussion
Icarious
icarious at hacari.org
Thu Jul 30 23:28:13 GMT 2015
>
> should we sign pkgbuilds from arch then?
>
> --
> .oÓ)
Ideally we should. But given that its not possible at the moment, the least we could do is find a balance between "consistent" source code management and security. So as signing git commits "cannot" serve abs users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD" instead of encouraging to use two different source code management methods by forcing git "for security".
--
Icarious
GPG Public Key : 0x4428BA28AA2ACCD2
GPG Fingerprint : 6C37 E88E DD0B F042 7A15 676E 4428 BA28 AA2A CCD2
www.gnuos.in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150731/32fdad21/attachment.sig>
More information about the Dev
mailing list