31 Oct
2016
31 Oct
'16
11:18 p.m.
On 10/31/2016 05:50 PM, Leonid Isaev wrote:
As a side question... is there a significant difference in signing PKGBUILD vs the compiled package.
Do you realize, when you ask if there is a difference between signing a PKGBUILD vs. a built package, it sounds an awful lot like asking if there is a difference between a PKGBUILD and a built package? Well, of course there is a difference. They are two different things...
Given that when building a pkg, I inspect the PKGBUILD, what attack is possible when the PKGBUILD is not signed?
Off the top of my head, there is *the topic of this thread*. Someone could modify the checksums and deliver fake sources. When the PKGBUILD just says "run `make`", how do you tell the difference? -- Eli Schwartz