Le 10/12/2016 à 00:30, Leonid Isaev a écrit :
On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote:
Le 08/12/2016 à 01:57, Leonid Isaev a écrit :
On 08/12/16 08:51, sivmu wrote:
> ... > I advocate keeping md5sum as the default because it is broken. If I see > someone purely verifying their sources using md5sum in a PKGBUILD (and > not pgp signature), I know that they have done nothing to actually > verify the source themselves. > ... That is a very dangerous assumtion. I know for a fact that many
Am 07.12.2016 um 10:49 schrieb Allan McRae: maintainers used md5 for verification because it is the default. There are/were maintainers that downloaded the source, verified the pgp signature and generated the md5 checksum to include it in the PKGBUILD (without the pgp signature) Idiots... so again using md5sums as the default saves me from people who don't know how to package. Actually, this might not be so crazy. Sometimes you get a signed sha*sums file instead of signed source, so you don't include the key in validpgpkeys array. For example, when building Firefox, I have to manually verify the sig on SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm
On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: paranoid... I guess one can simply do makepkg -g, hmm.
Hence the question, why have this flag at all? And should it be possible to specify an external (signed) hash-file in PKGBUILD?
Thx, L. What is wrong with adding the sha*sum file and its signature in the source array and then use validpgpkeys? And then what?
Then makepkg would check the sigs on the sha*sum file, and you could either grep the sum from this file to use it in the PKGBUILD automatically (which is done in firefox-nightly-fr, probably not optimally now that I thought about it) or have a function to later verify the sum (don’t like that way, but it’s done in firefox-nightly for instance), or copy it by hand if it is for a stable package (which seems to be your use case). The goal here being that other people using the PKGBUILD get the same GPG verification.