[Dev] [UNIFONT] package update
Wael Karram
wael at waelk.tech
Mon Nov 28 11:48:29 GMT 2022
On Mon, 2022-11-28 at 06:30 -0500, bill-auger wrote:
> On Mon, 28 Nov 2022 13:18:54 +0200 Wael wrote:
> > I can't find how to force verification.
>
> it is automatic - if validpgpkeys is populated, any
> source=() files with an associated .asc or .sig will be verified
>
>
> On Mon, 28 Nov 2022 13:18:54 +0200 Wael wrote:
> > Additionally I thought we can do without it, but the download is done over
> > HTTP
> > and not HTTPS
>
> encryption is not a significant factor
>
> signatures are always optional, because most projects do not
> publish them; but signatures should be verified whenever the
> upstream does publish them
Then in this case I guess it should be left in, right?
I've just checked the PGP key again and it matches what the upstream has
published.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20221128/50a4f3a0/attachment.sig>
More information about the Dev
mailing list