[arch-general] Stronger Hashes for PKGBUILDs
Bennett Piater
bennett at piater.name
Wed Dec 7 10:44:11 UTC 2016
On 12/07/2016 11:17 AM, Gregory Mullen wrote:
> If the argument left is, I don't want (better checksum) because it's
> shouldn't be thought of as a security check, and I want a security check.
>
> Why can't the requirement be PGP sig's are now required, and we drop the
> checksum completely?
Won't work because many upstreams don't provide signatures.
Maybe giving a warning ("source authenticity was not verified due to
lack of GPG signature") would work?
--
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161207/4aeb4a6e/attachment.asc>
More information about the arch-general
mailing list