Le 16/12/2016 à 22:24, Olivier Brunel a écrit :
On Fri, 16 Dec 2016 16:04:06 -0500 Eli Schwartz <eschwartz93@gmail.com> wrote:
Well, for the record there is a patch[1] for doing just that (and a bit more) actually. Because indeed a few upstreams do not provide signatures of the source code directly, but either detached sig of a checksum file, or checksums as a signed message. The patch in question handles both cases.
And as it happens, it will work with firefox upstream, amongst others. (Though not with the .dsc files from Debian mentionned in this thread.)
Cheers,
[1] https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html Hmm, I had forgotten that. I see that Allan objected to that on the grounds that upstream could re-release the sums e.g. after adding a new artifact to the hundred or so in the Firefox file. So you would either have spurious failures, or be unable to detect re-releases. Not exactly, as long as you put the hash of the file in the PKGBUILD, any change from upstream would be cought. I believe what Allan pointed out was that using SKIP for the file could lead to such things, but
On 12/16/2016 03:40 PM, Olivier Brunel wrote: that would be a packaging rule to follow to ensure things don't happen.
I totally agree with this. :) Quite funnily, this is why I thought the feature I would like makepkg to have was easy to have, because having already downloaded the signed file to add its sha*sum to the corresponding array, it allowed makepkg to correctly parse it with whatever I had put in the sha*sum array, while this doesn’t work if the file isn’t already downloaded. Bruno