[arch-general] Stronger Hashes for PKGBUILDs
Merlin Büge
toni at bluenox07.de
Wed Dec 7 23:24:09 UTC 2016
On Wed, 7 Dec 2016 11:44:11 +0100
Bennett Piater <bennett at piater.name> wrote:
> Maybe giving a warning ("source authenticity was not verified due to
> lack of GPG signature") would work?
I find this a great idea.
It's transparent, and this way people get frequently reminded about that
security issue.
Or like sivmu said:
> A big fat warning about missing validation should automatically be
> generated in any package that misses signatures or at least https source
> downloads.
Regards,
Merlin
--
Merlin Büge <toni at bluenox07.de>
More information about the arch-general
mailing list