[pacman-dev] [PATCH v2] makepkg: Add support for verifying pgp signatures
Allan McRae
allan at archlinux.org
Tue Jul 5 20:04:25 EDT 2011
On 06/07/11 07:20, Wieland Hoffmann wrote:
> Hallo, Allan McRae:
>> On 04/07/11 22:13, Wieland Hoffmann wrote:
>> Looking good. Some general comments:
>>
>> I saw that --skipinteg implies --skippgpcheck. I noticed this when
>> I copied a "bad" signature into my source directory and I did not
>> update the md5sums so used --skipinteg. I was quite surprised when
>> the signatures did not get checked. Should these be separated more?
>
> I chose to implement it this way because checking the signature means
> verifying that the data I downloaded is the data uploaded by the
> project which is what data integrity is about. Personally, I would be
> surprised if --skipinteg didn't imply --skippgpcheck, although it's kind
> of doing the same thing twice. Maybe a switch like --skipchecksums would
> be a good idea that doesn't imply skipping ALL integrity checks.
That sounds a good idea
--skipinteg - skips all
--skipchecksums - skips checksums only
--skippgpcheck - skips pgp sig check only
Leave the current patch as is with respect to how this is handled and
add that in a separate patch (if you want to do that work...)
>>> + local file
>>> + local errors=0
>>
>> We should keep track of the number of non-error warnings too so a
>> "==> WARNING:" message could be outputed.
>
> The exact number/reason or just a simple "hey, there were some warnings"
> so people scroll up to the actual warning(s)?
>
Just a "hey there were some warnings" is enough.
Allan
More information about the pacman-dev
mailing list