On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote:
Le 08/12/2016 à 01:57, Leonid Isaev a écrit :
On 08/12/16 08:51, sivmu wrote:
... I advocate keeping md5sum as the default because it is broken. If I see someone purely verifying their sources using md5sum in a PKGBUILD (and not pgp signature), I know that they have done nothing to actually verify the source themselves. ... That is a very dangerous assumtion. I know for a fact that many
Am 07.12.2016 um 10:49 schrieb Allan McRae: maintainers used md5 for verification because it is the default. There are/were maintainers that downloaded the source, verified the pgp signature and generated the md5 checksum to include it in the PKGBUILD (without the pgp signature) Idiots... so again using md5sums as the default saves me from people who don't know how to package. Actually, this might not be so crazy. Sometimes you get a signed sha*sums file instead of signed source, so you don't include the key in validpgpkeys array. For example, when building Firefox, I have to manually verify the sig on SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: paranoid... I guess one can simply do makepkg -g, hmm.
Hence the question, why have this flag at all? And should it be possible to specify an external (signed) hash-file in PKGBUILD?
Thx, L.
What is wrong with adding the sha*sum file and its signature in the source array and then use validpgpkeys?
And then what? -- Leonid Isaev