29 May
2022
29 May
'22
9:20 p.m.
On Sun, May 29, 2022 at 10:25:52PM +0200, Jonas Witschel wrote:
This best practice of using pinned tag object hashes could then be enforced by a tool like your recently created archlinux-inputs-fsck [3]. Note that this project currently does not recognise PKGBUILDs with pinned tag hashes as secure (because it does not distinguish between regular tag names and object hashes). For the reasons outlined by the previous posters I don't think this assessment as currently made by archlinux-inputs-fsck is justified [4].
I think namcap should get support for warning against this. There is quite a bit of room for improvement over this I reckon. -- Morten Linderud PGP: 9C02FF419FECBE16