[pacman-dev] [PATCH 1/2] contrib: Add verify-pacman-repo-db.pl

Florian Pritz bluewind at xinu.at
Sun Aug 7 13:13:39 UTC 2016


On 07.08.2016 08:28, Allan McRae wrote:
> A commit message would be nice...

Would a copy of the manpage description be fine or do you have something
else in mind?

> Is there any reason PGP checksums are not checked?

I don't see a mention of checksum-only verification in the gpg manpage
so I'll assume you mean signatures here.

The main reason is that I'm not sure if it is really necessary. If we
want to catch obvious problems (missing or broken package file),
checking the sha256 and md5 hashes is enough. PGP opens a whole can of
worms starting with the simple issue that this script should also be
useful to mirror admins that want to check if their mirror is good.
Those servers may not run the distro for which they provide a mirror and
they probably don't have the keys in their keyring so verifying the
signatures is not easily possible.

I currently don't consider the feature worth adding, but I haven't
thought about it too much, which is why the TODO has a question mark at
the end. If you want, I can remove that line entirely given I've thought
about it some more now and still don't see a huge value in having it.

Florian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 825 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20160807/91bd3c8f/attachment.asc>


More information about the pacman-dev mailing list