On 04/01/15 04:05 PM, Christian Hesse wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
I would create a wiki page with the list and then see if you can find a developer interested in mass-adding the missing signatures. I'd be interested in helping with it for [community], but you'll likely be able to do it yourself soon ;). Note that you should check svn rather than abs because theres usually no rebuild for something like this. The linux{-lts,-grsec} packages are using the new feature now. I expect that this can be automated to a large extent. Looking for files with .asc / .sig extensions doesn't need to be done by hand. It also makes sense to figure out which packages can use HTTPS to fetch sources since that's a lot better than nothing if no signatures are available.