[Dev] New packaging standards/policy discussion

Luke g4jc at openmailbox.org
Thu Jul 30 23:43:24 GMT 2015

On 07/30/2015 07:35 PM, fauno wrote:

> Icarious <icarious at hacari.org> writes:
>>> should we sign pkgbuilds from arch then?
>>> -- 
>>> .oÓ)
>> Ideally we should. But given that its not possible at the moment, the
>> least we could do is find a balance between "consistent" source code
>> management and security. So as signing git commits "cannot" serve abs
>> users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD"
>> instead of encouraging to use two different source code management
>> methods by forcing git "for security".
> iirc librerelease signs and uploads pkgbuilds (and other local files) to
> repo, what's the current use on that?
I think that librerelease only signs the compiled binaries. I've used it
several times now and it never signed the PKGBUILDs. If it is intended
to do that it may be a non-working or undocumented feature...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/e1da9cf0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/e1da9cf0/attachment.sig>

More information about the Dev mailing list