[Dev] New packaging standards/policy discussion
fauno
fauno at endefensadelsl.org
Thu Jul 30 23:35:56 GMT 2015
Icarious <icarious at hacari.org> writes:
>>
>> should we sign pkgbuilds from arch then?
>>
>> --
>> .oÓ)
> Ideally we should. But given that its not possible at the moment, the
>least we could do is find a balance between "consistent" source code
>management and security. So as signing git commits "cannot" serve abs
>users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD"
>instead of encouraging to use two different source code management
>methods by forcing git "for security".
iirc librerelease signs and uploads pkgbuilds (and other local files) to
repo, what's the current use on that?
--
P)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/81fe2601/attachment.sig>
More information about the Dev
mailing list