On 15-10-18, Levente Polyak via aur-general wrote:
On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote:
I usually don't use pgp on my aur packages because people tend to complain a lot about building issues. They fail to handle the keys and start complaining to the packager, and this is a big stress. When dealing with repository packages this is another story, of course. Since this was raised as a main issue, I'll be adding the pgp checks back again.
So let me summarize what you are saying, correct me if im wrong:
You fully know whats all the gizzle with gpg. Instead of acting like a trustable user who follows best practice and spreads good advice and helps teaching people about how all this works properly you prefere to pull the lazy card because its what? big stress? Serious? I don't even find words to describe how untrustworthy this is to the community to prefer to remove GPG signatures instead of educating users?
What a warm way to welcome people. A bit of fact-checking doesn't hurt: $ pkgver=4.16.1 $ wget "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc} $ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz' gpg: Signature made mer. 15 nov. 2017 09:44:37 CET gpg: using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8 gpg: Can't check signature: No public key $ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8 gpg: data source: http://192.146.137.99:11371 (1) Piotr Zarzycki (CODE SIGNING KEY) <piotrz@apache.org> 4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked) Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8". Enter number(s), N)ext, or Q)uit > Baptiste