5 Dec
2016
5 Dec
'16
11:59 p.m.
Am 05.12.2016 um 23:45 schrieb Eli Schwartz via arch-general:
On 12/05/2016 05:25 PM, sivmu wrote:
A LOT of packages do not use pgp validation even though upstream provides signatures. That is the real issue here.
Let me say this again: everyone who is responsible for arch packages needs to be clearly advised to use all available methods to effectively verify upstream source files.
Using a strong hash by default won't do that.
AUR packages, or repo packages? There was a todo list[1] for the repos.
For anything in the AUR you should definitely drop a comment on their page. And change the wiki guidelines on packaging standards to mention this.
Wow thanks for the link, I did not kow that yet. That looks awesome.