<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;" lang="x-western">
<pre wrap="">On 07/30/2015 07:35 PM, fauno wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap="">Icarious <a class="moz-txt-link-rfc2396E" href="mailto:icarious@hacari.org"><icarious@hacari.org></a> writes:
</pre>
<blockquote type="cite" style="color: #000000;">
<blockquote type="cite" style="color: #000000;">
<pre wrap="">should we sign pkgbuilds from arch then?
--
.oÓ)
</pre>
</blockquote>
<pre wrap="">Ideally we should. But given that its not possible at the moment, the
least we could do is find a balance between "consistent" source code
management and security. So as signing git commits "cannot" serve abs
users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD"
instead of encouraging to use two different source code management
methods by forcing git "for security".
</pre>
</blockquote>
<pre wrap="">iirc librerelease signs and uploads pkgbuilds (and other local files) to
repo, what's the current use on that?
</pre>
</blockquote>
<pre wrap="">I think that librerelease only signs the compiled binaries. I've used it
several times now and it never signed the PKGBUILDs. If it is intended
to do that it may be a non-working or undocumented feature...
</pre>
</div>
</body>
</html>