On 04/01/15 05:03 PM, Doug Newgard wrote:
On Sun, 4 Jan 2015 22:05:21 +0100 Christian Hesse <list@eworm.de> wrote:
Hello everybody,
pacman 4.2.0 gained support for verifying source tarballs with kernel.org style signature. Some (even essential) packages could benefit from that, linux and git come to mind.
How to handle this? Report a bug for every package? Provide a list here?
A lot of it is already happening: https://www.archlinux.org/todo/validpgpkeys-integrity-check/
If you want it added to a package that isn't on that list, the bug tracker is probably the best bet. Note that the linux package already has it.
Doug
That rebuild is just to fix packages that were already using GPG signatures and need the fingerprint(s) added. There are a lot that could be using them and aren't yet. This could likely be automated to a large extent. Using a script to detect if HTTPS works for fetching the sources along with checking for signature files by appending .asc and .sig seems like a promising plan.