On Fri, 16 Dec 2016 16:04:06 -0500 Eli Schwartz <eschwartz93@gmail.com> wrote:
On 12/16/2016 03:40 PM, Olivier Brunel wrote:
Well, for the record there is a patch[1] for doing just that (and a bit more) actually. Because indeed a few upstreams do not provide signatures of the source code directly, but either detached sig of a checksum file, or checksums as a signed message. The patch in question handles both cases.
And as it happens, it will work with firefox upstream, amongst others. (Though not with the .dsc files from Debian mentionned in this thread.)
Cheers,
[1] https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Hmm, I had forgotten that. I see that Allan objected to that on the grounds that upstream could re-release the sums e.g. after adding a new artifact to the hundred or so in the Firefox file. So you would either have spurious failures, or be unable to detect re-releases.
Not exactly, as long as you put the hash of the file in the PKGBUILD, any change from upstream would be cought. I believe what Allan pointed out was that using SKIP for the file could lead to such things, but that would be a packaging rule to follow to ensure things don't happen.