5 Dec
2016
5 Dec
'16
11:45 p.m.
On 12/05/2016 05:25 PM, sivmu wrote:
A LOT of packages do not use pgp validation even though upstream provides signatures. That is the real issue here.
Let me say this again: everyone who is responsible for arch packages needs to be clearly advised to use all available methods to effectively verify upstream source files.
Using a strong hash by default won't do that.
AUR packages, or repo packages? There was a todo list[1] for the repos. For anything in the AUR you should definitely drop a comment on their page. And change the wiki guidelines on packaging standards to mention this. -- Eli Schwartz [1] https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/