[arch-general] Severity of Failed checksum for PKGBUILD

G. Schlisio g.schlisio at dukun.de
Fri Feb 20 14:40:14 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


> I understand that the metadata changed which changed the checksum,
> but that doesn't really change the question of what to do with
> source code versioning systems that have changing checksums and the
> need to supply source code for GPL projects.

if i understand you correctly, you want to be able to prove, that a
certain source was used in a certain PKGBUILD to generate a certain
binary package you are looking at.
that kind of security is not built into arch. you cannot even prove
that the PKBUILD from abs or svn reflects the one that was used to
build that package you have.
it is a well-intended question to ask for GPL compliance and provable
sources, but that is not happening in arch.
its about trust (thats why they are called TU!), and the problem you
try to solve ist ill-defined.
that aside, i think, that rebuilding packages should be possible
(correct checksums etc), but it can fail for a bunch of reasons, so
its not the TUs fault mostly.

0,02€
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJU50dJAAoJELKHx5nAxn3sKssIAIj2vyA4vuxvbbmS7mv8z41E
vyaCP6gZPWTCi0lA4xEIiRamgIV4QgLYmv7a5BR3xfoOvc/vxTzIOhBWqgigf7Y7
u34vYOCfcUcyKT1pse8mbuOHiTVd78LDanugX/TAkRzwM4y4aq/HXlLaXjiz6LC1
g7Rh9QCzqsMO+a8/KfClQXvIT1od1Frvgxnh5LQqgzZ47iVbkJfNUVbqCBmLVybi
vjmdO3Zma5Qq0xiFbR3gAewKMcpl7EBs6svvv82BreHYyQf8VdPKderLtjqhCaR8
bMldKGuaH1RW6oDAmMZNdIANgzmBFs3FmgVfrV/pjHYBvAAe/zcuKGlWQgmfP8Q=
=d7Rj
-----END PGP SIGNATURE-----


More information about the arch-general mailing list