[aur-general] [REVIEW REQUEST] python-viivakoodi

Eli Schwartz eschwartz93 at gmail.com
Sun Nov 27 00:27:37 UTC 2016


On 11/26/2016 01:01 AM, Florian Bruhin wrote:
>>   * Upstream does not provide any GPG signature of the tarballs nor
>>   commit signature. I've chosen to provide a detached GPG signature
>>   of the downloaded tarball with my GPG key. For me, its better to
>>   have this link-ability between the package maintainer and the
>>   downloaded tarball than nothing at all.
> 
> Not sure if that makes much sense, and FWIW I've had some issues with
> people not being able to install AUR packages with PGP keys. I don't
> recall exactly what the problem was though...

This. GPG signatures are meant to prove that upstream really released
it, but if all you know is that the AUR maintainer *thinks* this is the
upstream release, you might as well just stick with checksums, which
will serve just as well to prove the source code is the same source code
the AUR maintainer used.

Anyone who can defeat the checksum (by modifying your PKGBUILD) can also
defeat your own GPG key.

-- 
Eli Schwartz


More information about the aur-general mailing list