[arch-general] gpg source validation for kernel.org style signatures
danielmicay at gmail.com
Mon Jan 5 09:01:12 UTC 2015
On 04/01/15 05:03 PM, Doug Newgard wrote:
> On Sun, 4 Jan 2015 22:05:21 +0100
> Christian Hesse <list at eworm.de> wrote:
>> Hello everybody,
>> pacman 4.2.0 gained support for verifying source tarballs with
>> kernel.org style signature. Some (even essential) packages could
>> benefit from that, linux and git come to mind.
>> How to handle this? Report a bug for every package? Provide a list
> A lot of it is already happening:
> If you want it added to a package that isn't on that list, the bug
> tracker is probably the best bet. Note that the linux package already
> has it.
That rebuild is just to fix packages that were already using GPG
signatures and need the fingerprint(s) added. There are a lot that could
be using them and aren't yet. This could likely be automated to a large
Using a script to detect if HTTPS works for fetching the sources along
with checking for signature files by appending .asc and .sig seems like
a promising plan.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-general