[aur-general] validpgpkeys
Hi, you likely noticed the discussion about "Stronger Hashes for PKGBUILDs" on Arch general. I wonder if there is any reason to avoid validpgpkeys for PKGBUILDs of the AUR? https://aur.archlinux.org/packages/freetype2-infinality/ ? If upstream, e.g. kernel.org signs the source, then IMO nothing is wrong with including it to the PKGBUILD. I prefer signed sources. Actually this is done for at least linux. $ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) Regards, Ralf
On Sun, 11 Dec 2016 20:46:56 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
Hi,
you likely noticed the discussion about "Stronger Hashes for PKGBUILDs" on Arch general. I wonder if there is any reason to avoid validpgpkeys for PKGBUILDs of the AUR? https://aur.archlinux.org/packages/freetype2-infinality/ ?
If upstream, e.g. kernel.org signs the source, then IMO nothing is wrong with including it to the PKGBUILD. I prefer signed sources.
Actually this is done for at least linux.
$ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman )
Regards, Ralf
No, there is no reason to avoid it. The argument that people don't understand isn't a valid one with Arch.
On Sun, 11 Dec 2016 13:54:08 -0600, Doug Newgard wrote:
No, there is no reason to avoid it. The argument that people don't understand isn't a valid one with Arch.
Full ACK. If they want to use a helper without taking care about anything on their own, they could configure their helper to skip the PGP check. At least yaourt provides an option. $ man yaourtrc | grep MAKEPKG -A1 MAKEPKG="makepkg" Specify the makepkg binary to use with yaourt I don't know if it's possible to use MAKEPKG="makepkg --skippgpcheck" but at least using a wrapper MAKEPKG="makepkg-skip-pgp-chek-wrapper" would be possible. Regards, Ralf
On Mon, 12 Dec 2016 08:56:55 +0100, Ralf Mardorf wrote:
On Sun, 11 Dec 2016 13:54:08 -0600, Doug Newgard wrote:
No, there is no reason to avoid it. The argument that people don't understand isn't a valid one with Arch.
Full ACK.
If they want to use a helper without taking care about anything on their own, they could configure their helper to skip the PGP check.
At least yaourt provides an option.
$ man yaourtrc | grep MAKEPKG -A1 MAKEPKG="makepkg" Specify the makepkg binary to use with yaourt
I don't know if it's possible to use
MAKEPKG="makepkg --skippgpcheck"
but at least using a wrapper
MAKEPKG="makepkg-skip-pgp-chek-wrapper"
would be possible.
Let alone that a makepkg wrapper skript could check the PKGBUILD and download all required keys automatically. This doesn't require programming skills, just a simple script. I'm against downloading keys automatically, but this perhaps would be better, than to skip PGP verification.
On Mon, 12 Dec 2016 09:05:36 +0100, Ralf Mardorf wrote:
On Mon, 12 Dec 2016 08:56:55 +0100, Ralf Mardorf wrote:
On Sun, 11 Dec 2016 13:54:08 -0600, Doug Newgard wrote:
No, there is no reason to avoid it. The argument that people don't understand isn't a valid one with Arch.
Full ACK.
If they want to use a helper without taking care about anything on their own, they could configure their helper to skip the PGP check.
At least yaourt provides an option.
$ man yaourtrc | grep MAKEPKG -A1 MAKEPKG="makepkg" Specify the makepkg binary to use with yaourt
I don't know if it's possible to use
MAKEPKG="makepkg --skippgpcheck"
but at least using a wrapper
MAKEPKG="makepkg-skip-pgp-chek-wrapper"
would be possible.
Let alone that a makepkg wrapper skript could check the PKGBUILD and download all required keys automatically. This doesn't require programming skills, just a simple script. I'm against downloading keys automatically, but this perhaps would be better, than to skip PGP verification.
PPS: Or perhaps .gnupg/gpg.conf keyserver-options auto-key-retrieve
Le 11/12/2016 à 20:46, Ralf Mardorf a écrit :
Hi,
you likely noticed the discussion about "Stronger Hashes for PKGBUILDs" on Arch general. I wonder if there is any reason to avoid validpgpkeys for PKGBUILDs of the AUR? https://aur.archlinux.org/packages/freetype2-infinality/ ?
If upstream, e.g. kernel.org signs the source, then IMO nothing is wrong with including it to the PKGBUILD. I prefer signed sources.
Actually this is done for at least linux.
$ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman )
Regards, Ralf
Hi, No reason as far as I can see, excepted perhaps the fact most users don’t understand what happens when they have a failure on ` ==> Verifying source file signatures with gpg...` because they didn’t add the key to their keyring, despite a pinned comment telling to do so… But if we start to consider such things as valid reasons, we’re doomed. Personally, I make use of this on as much packages I maintain as possible, while pinning a comment redirecting to https://wiki.archlinux.org/index.php/Makepkg#Signature_checking, while also mentioning --skippgpcheck because it’s always mentioned in the comments at some point, so rather have it with a warning in the pinned comment. Cheers, Bruno
On Sun, 11 Dec 2016 20:55:23 +0100, Bruno Pagani wrote:
Personally, I make use of this on as much packages I maintain as possible, while pinning a comment redirecting to https://wiki.archlinux.org/index.php/Makepkg#Signature_checking, while also mentioning --skippgpcheck because it’s always mentioned in the comments at some point, so rather have it with a warning in the pinned comment.
This is a good idea :). OTOH often helpful comments are ignored ;). Regards, Ralf
participants (3)
-
Bruno Pagani
-
Doug Newgard
-
Ralf Mardorf