[pacman-dev] makepkg integrity check patches

Xavier Chantry chantry.xavier at gmail.com
Thu May 6 12:58:39 CEST 2010


On Thu, May 6, 2010 at 12:50 PM, Loui Chang <louipc.ist at gmail.com> wrote:
>
> This relates to package integrity. I guess I mean to present the odd
> possibility where you trust the person who signed the package, but the
> it hasn't even passed basic integrity checks.
>
> I guess the debate is convenience versus correctness really.
>

No, it's not, we want both.
default behavior -> correctness
non-default behavior for people who know what they are doing -> convenience
Very much like pacman -Sd / -Sf as Allan already said multiple times.

> I can understand if someone may value the convenience more, but I
> contend that the gained convenience is not particularly valuable after
> all, can be obtained in other ways, and should not be put into the
> official tools at the potential sacrifice of correctness.
>

The only sacrifice we will make is packagers who dare sharing a
pkgbuild with wrong checksums.
Allan told me he will burn them all on the public place.

Just like we would do with people that would send a pkgbuild with rm
-rf / inside.


More information about the pacman-dev mailing list