[arch-general] Severity of Failed checksum for PKGBUILD
Daniel Micay
danielmicay at gmail.com
Fri Feb 20 15:58:53 UTC 2015
On 20/02/15 10:26 AM, Mark Lee wrote:
>
> However, the issue still stands regarding checksums. Perhaps packages
> with metadata changes should just not include checksums? Or, they could
> just link to the sources.archlinux.org in those cases with checksums.
Ideally, devtools would generate a source package, sign it and upload it
along with the binary packages. It would eliminate the minor flaws in
the current GPL compliance and there would actually be a way to obtain
the original sources used to build the package and compare to whatever
upstream currently offers.
The source packages are currently generated by a cron job on the
server... I'm sure patches are welcome but you aren't going to find many
people who really care.
> In addition, I was thinking more along the lines of coercion.
I don't know what you mean. The checksums prove absolutely nothing about
how the binary package was built. The packager can provide whatever
checksums they want, regardless of what sources they used to build the
package.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150220/0883464e/attachment.asc>
More information about the arch-general
mailing list