[arch-general] Stronger Hashes for PKGBUILDs
Eli Schwartz
eschwartz93 at gmail.com
Mon Dec 5 22:45:11 UTC 2016
On 12/05/2016 05:25 PM, sivmu wrote:
> A LOT of packages do not use pgp validation even though upstream
> provides signatures. That is the real issue here.
>
> Let me say this again: everyone who is responsible for arch packages
> needs to be clearly advised to use all available methods to effectively
> verify upstream source files.
>
> Using a strong hash by default won't do that.
AUR packages, or repo packages? There was a todo list[1] for the repos.
For anything in the AUR you should definitely drop a comment on their
page. And change the wiki guidelines on packaging standards to mention this.
--
Eli Schwartz
[1] https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/
More information about the arch-general
mailing list