Doug Newgard <scimmia@archlinux.info> on Sun, 2015/01/04 16:03:
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/
This is about validpgpkeys array. Glad to see this happen, but it is not what I was speaking about: If the tar archive (instead of the compressed archive) was signed pacman < 4.2.0 could not check. That is why you can not find these with grep.
If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it.
Ah, I can see it on the website, but abs did not yet sync it. Thanks! -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}