[aur-general] validpgpkeys
Bruno Pagani
bruno.pagani at ens-lyon.org
Sun Dec 11 19:55:23 UTC 2016
Le 11/12/2016 à 20:46, Ralf Mardorf a écrit :
> Hi,
>
> you likely noticed the discussion about "Stronger Hashes for PKGBUILDs"
> on Arch general. I wonder if there is any reason to avoid validpgpkeys
> for PKGBUILDs of the AUR?
> https://aur.archlinux.org/packages/freetype2-infinality/ ?
>
> If upstream, e.g. kernel.org signs the source, then IMO nothing is
> wrong with including it to the PKGBUILD. I prefer signed sources.
>
> Actually this is done for at least linux.
>
> $ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD
> validpgpkeys=(
> 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
> '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
> )
>
> Regards,
> Ralf
Hi,
No reason as far as I can see, excepted perhaps the fact most users
don’t understand what happens when they have a failure on ` ==>
Verifying source file signatures with gpg...` because they didn’t add
the key to their keyring, despite a pinned comment telling to do so… But
if we start to consider such things as valid reasons, we’re doomed.
Personally, I make use of this on as much packages I maintain as
possible, while pinning a comment redirecting to
https://wiki.archlinux.org/index.php/Makepkg#Signature_checking, while
also mentioning --skippgpcheck because it’s always mentioned in the
comments at some point, so rather have it with a warning in the pinned
comment.
Cheers,
Bruno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161211/473ed67a/attachment.asc>
More information about the aur-general
mailing list