On 12/16/2016 03:40 PM, Olivier Brunel wrote:
Well, for the record there is a patch[1] for doing just that (and a bit more) actually. Because indeed a few upstreams do not provide signatures of the source code directly, but either detached sig of a checksum file, or checksums as a signed message. The patch in question handles both cases.
And as it happens, it will work with firefox upstream, amongst others. (Though not with the .dsc files from Debian mentionned in this thread.)
Cheers,
[1] https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Hmm, I had forgotten that. I see that Allan objected to that on the grounds that upstream could re-release the sums e.g. after adding a new artifact to the hundred or so in the Firefox file. So you would either have spurious failures, or be unable to detect re-releases. Although I don't know if there are any stats on how often a checksums file will get updated by upstream like that. Is that a significant concern? -- Eli Schwartz