On 20/02/15 10:26 AM, Mark Lee wrote:
However, the issue still stands regarding checksums. Perhaps packages with metadata changes should just not include checksums? Or, they could just link to the sources.archlinux.org in those cases with checksums.
Ideally, devtools would generate a source package, sign it and upload it along with the binary packages. It would eliminate the minor flaws in the current GPL compliance and there would actually be a way to obtain the original sources used to build the package and compare to whatever upstream currently offers. The source packages are currently generated by a cron job on the server... I'm sure patches are welcome but you aren't going to find many people who really care.
In addition, I was thinking more along the lines of coercion.
I don't know what you mean. The checksums prove absolutely nothing about how the binary package was built. The packager can provide whatever checksums they want, regardless of what sources they used to build the package.