[aur-general] pcb-rnd-svn first package
Marcin Wieczorek
marcin at marcin.co
Thu Jul 22 13:32:39 UTC 2021
On 21/07/22 14:54, pcb-rnd at cuvoodoo.info wrote:
> On Thu, Jul 22, 2021 at 02:45:38PM +0200, Marcin Wieczorek wrote:
> > Also I noticed that the signatures are broken (0 byte files). I don't
> > think it even is PGP. In case you ever contact the upstream make sure to
> > mention this and the fact that they should have https.
> > I'm not sure about that tho, because the authors seem to negate the
> > value of HTTPS or at least point out "false sense of security".
> > http://repo.hu/cgi-bin/pool.cgi?cmd=show&node=https
>
> I already pointed out that some .asc are missing or empty.
> that should be fixed in the next release according to the author.
>
> as for the https, I also discussed with the author on IRC, and the http choice is deliberate because the "false" securi
> ty feeling HTTPS provide are not worth the effort, and he prefers pointing out the anchor of trust issue (as you found in the article).
>
> also the signatures provided on the release page only use x.509 certificates.
> AFAICS only GPG signatures are supported by PKGBUILD.
> this is why I did not include the signatures.
>
Ok. I'm glad that you considered that and already took action. You could
always do some prepare() magic to check the sigs. In current case the
packages lacks security measures, only the sums provide integrity.
Am I right?
Marcin Wieczorek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20210722/2c1ee949/attachment.sig>
More information about the aur-general
mailing list