[Dev] New packaging standards/policy discussion
Luke
g4jc at openmailbox.org
Thu Jul 30 23:43:24 GMT 2015
On 07/30/2015 07:35 PM, fauno wrote:
> Icarious <icarious at hacari.org> writes:
>
>>> should we sign pkgbuilds from arch then?
>>>
>>> --
>>> .oÓ)
>> Ideally we should. But given that its not possible at the moment, the
>> least we could do is find a balance between "consistent" source code
>> management and security. So as signing git commits "cannot" serve abs
>> users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD"
>> instead of encouraging to use two different source code management
>> methods by forcing git "for security".
> iirc librerelease signs and uploads pkgbuilds (and other local files) to
> repo, what's the current use on that?
>
>
>
I think that librerelease only signs the compiled binaries. I've used it
several times now and it never signed the PKGBUILDs. If it is intended
to do that it may be a non-working or undocumented feature...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/e1da9cf0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/e1da9cf0/attachment.sig>
More information about the Dev
mailing list