[arch-general] [arch-dev-public] todo list for moving http -> https sources
Levente Polyak
anthraxx at archlinux.org
Mon Oct 31 15:16:21 UTC 2016
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> As a middle ground, I think it would be more reasonable (or at least,
> less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
> least parts of them. For an existing example, OpenBSD's signify(1) uses
> their cryptographic signature system to sign a simple list sha256sums.
>
> Perhaps makepkg could include, e.g., a sha256sumsigs array, that
> contains a PGP signature (signed by the developer/TU's official key)
> of the contents (properly serialised by makepkg so there's a minimum
> of possible ambiguity) of the sha256sums array?
>
That is literally a _completely_ different topic that addresses
_completely_ different areas.
You are speaking about authenticating the build scripts itself. That
does not solve _anything_ at all what this thread/topic/todo-list is about.
Don't get me wrong: I don't judge about it at all, I'm just saying that
both are fully independent from each other and you should please open a
new thread if you want to discuss this rather then hijack this thread :)
cheers,
Levente
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161031/8280cbec/attachment.asc>
More information about the arch-general
mailing list