[pacman-dev] [PATCH v2] makepkg: Add support for verifying pgp signatures
Wieland Hoffmann
themineo at googlemail.com
Tue Jul 5 17:20:23 EDT 2011
Hallo, Allan McRae:
> On 04/07/11 22:13, Wieland Hoffmann wrote:
> Looking good. Some general comments:
>
> I saw that --skipinteg implies --skippgpcheck. I noticed this when
> I copied a "bad" signature into my source directory and I did not
> update the md5sums so used --skipinteg. I was quite surprised when
> the signatures did not get checked. Should these be separated more?
I chose to implement it this way because checking the signature means
verifying that the data I downloaded is the data uploaded by the
project which is what data integrity is about. Personally, I would be
surprised if --skipinteg didn't imply --skippgpcheck, although it's kind
of doing the same thing twice. Maybe a switch like --skipchecksums would
be a good idea that doesn't imply skipping ALL integrity checks.
> >+ local file
> >+ local errors=0
>
> We should keep track of the number of non-error warnings too so a
> "==> WARNING:" message could be outputed.
The exact number/reason or just a simple "hey, there were some warnings"
so people scroll up to the actual warning(s)?
--
Wieland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20110705/b428a8d2/attachment-0001.asc>
More information about the pacman-dev
mailing list