scimmia at archlinux.info
Sun Dec 11 19:54:08 UTC 2016
On Sun, 11 Dec 2016 20:46:56 +0100
Ralf Mardorf <ralf.mardorf at alice-dsl.net> wrote:
> you likely noticed the discussion about "Stronger Hashes for PKGBUILDs"
> on Arch general. I wonder if there is any reason to avoid validpgpkeys
> for PKGBUILDs of the AUR?
> https://aur.archlinux.org/packages/freetype2-infinality/ ?
> If upstream, e.g. kernel.org signs the source, then IMO nothing is
> wrong with including it to the PKGBUILD. I prefer signed sources.
> Actually this is done for at least linux.
> $ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD
> 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
> '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
No, there is no reason to avoid it. The argument that people don't understand
isn't a valid one with Arch.
More information about the aur-general