On 12/15/2016 06:23 PM, Bruno Pagani wrote:
Le 16/12/2016 à 00:13, Allan McRae a écrit :
On 16/12/16 08:29, Bruno Pagani wrote:
Hi there,
This is probably some sort of feature request or maybe more general asking.
I have a case where sha*sums are provided in a .dsc signed file (bs1770gain, for which *sane* upstream is Debian: https://packages.debian.org/source/sid/bs1770gain). Apparently, makepkg only supports verifying file with detached signature. Is there a specific reason for that (like this use case is really tiny — I have no actual idea about this) or is it just because it was never implemented?
The format of signed checksum files varies a lot. I don't want to attempt to autodetect each one as that will create a future nightmare.
Also, what is gained vs putting the checksums into the PKGBUILD?
A
Easy verification of source for other people building the package (here from AUR, but could be from ABS). Or maybe I misunderstood the point of having PGP verification in makepkg?
PGP verification proves that upstream signed the sources. Debian .dsc files prove nothing other than that Debian signed that download. What exactly qualifies Debian as the "sane upstream" anyway? What does authenticating Debian's checksums get us, that we couldn't have gotten out of verifying the AUR maintainer's checksums? Note that Allan has already vetoed the idea of upgrading the default checksum type in makepkg, on the grounds that it doesn't really prove anything, and nothing other than actual checksums or preferably PGP signatures from the code author will prove *anything*. So I don't see why yet more unproven checksums will be any different, especially if it requires brand-new handling in makepkg specifically for the purpose. -- Eli Schwartz