On 07/08/16 23:13, Florian Pritz wrote:
On 07.08.2016 08:28, Allan McRae wrote:
A commit message would be nice...
Would a copy of the manpage description be fine or do you have something else in mind?
Is there any reason PGP checksums are not checked?
I don't see a mention of checksum-only verification in the gpg manpage so I'll assume you mean signatures here.
The main reason is that I'm not sure if it is really necessary. If we want to catch obvious problems (missing or broken package file), checking the sha256 and md5 hashes is enough. PGP opens a whole can of worms starting with the simple issue that this script should also be useful to mirror admins that want to check if their mirror is good. Those servers may not run the distro for which they provide a mirror and they probably don't have the keys in their keyring so verifying the signatures is not easily possible.
I currently don't consider the feature worth adding, but I haven't thought about it too much, which is why the TODO has a question mark at the end. If you want, I can remove that line entirely given I've thought about it some more now and still don't see a huge value in having it.
I didn't actually see the TODO - I was purely commenting based on the man page. Get rid of the TODO, and put a very brief description in the commit message and I will apply. (I am assuming it is tested due to not knowing perl that well...) A