[pacman-dev] [PATCH v2] makepkg: Add support for verifying pgp signatures

Allan McRae allan at archlinux.org
Tue Jul 5 20:04:25 EDT 2011


On 06/07/11 07:20, Wieland Hoffmann wrote:
> Hallo, Allan McRae:
>> On 04/07/11 22:13, Wieland Hoffmann wrote:
>> Looking good.   Some general comments:
>>
>> I saw that --skipinteg implies --skippgpcheck.  I noticed this when
>> I copied a "bad" signature into my source directory and I did not
>> update the md5sums so used --skipinteg.  I was quite surprised when
>> the signatures did not get checked.  Should these be separated more?
>
> I chose to implement it this way because checking the signature means
> verifying that the data I downloaded is the data uploaded by the
> project which is what data integrity is about. Personally, I would be
> surprised if --skipinteg didn't imply --skippgpcheck, although it's kind
> of doing the same thing twice. Maybe a switch like --skipchecksums would
> be a good idea that doesn't imply skipping ALL integrity checks.

That sounds a good idea
--skipinteg   - skips all
--skipchecksums  - skips checksums only
--skippgpcheck  - skips pgp sig check only

Leave the current patch as is with respect to how this is handled and 
add that in a separate patch (if you want to do that work...)

>>> +	local file
>>> +	local errors=0
>>
>> We should keep track of the number of non-error warnings too so a
>> "==>  WARNING:" message could be outputed.
>
> The exact number/reason or just a simple "hey, there were some warnings"
> so people scroll up to the actual warning(s)?
>

Just a "hey there were some warnings" is enough.

Allan


More information about the pacman-dev mailing list