On 2022-05-30 07:46, Allan McRae wrote:
On 30/5/22 06:25, Jonas Witschel wrote:
Nevertheless I would love to see more (ideally all) packages using pinned tag object hashes over tag names, which I think would provide a tangible security benefit.
I thought this was already the standard. There were lots of bug reports (and a todo list?) to remove people using a tag a while back.
Is there just a lack of detailed PKGBUILD guidelines?
I could not find it in the package guidelines, so there is definitely a documentation issue. Therefore I amended the wiki accordingly: https://wiki.archlinux.org/index.php?title=Arch_package_guidelines&diff=731044&oldid=726554 On 2022-05-29 23:20, Morten Linderud wrote:
I think namcap should get support for warning against this. There is quite a bit of room for improvement over this I reckon.
This sounds like a good idea as well in order to increase visibility, since it can be hard to keep up with guideline changes (especially if not communicated via a mailing list discussion or an RFC, unlike this one). Cheers, Jonas -- Jonas Witschel Arch Linux Developer, Trusted User and security team member PGP key: FE2E6249201CA54A4FB90D066E80CA1446879D04