[aur-general] Discussion about AUR packages signing

Fabien Dubosson fabien.dubosson at gmail.com
Mon Aug 11 04:06:59 EDT 2014


> On a side note, with the release of AUR 4.0.0, we are no longer going
> to use source tarballs. Every source package will have its own Git
> repository and you can use signed tags or signed commits.

Actually that is more than a side note, that answers my main concern.
Glad to hear that it would be possible to ensure end-to-end verification
in a future AUR version.

Just curious, do you have an idea of the planning of 4.0.0 release?
(Very roughly: 6 months, 1 year, more?)

> So I think it is kind of pointless to discuss signed source tarballs
> now...

I agree
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20140811/7214b274/attachment.asc>


More information about the aur-general mailing list