[pacman-dev] [PATCH 1/2] contrib: Add verify-pacman-repo-db.pl

Allan McRae allan at archlinux.org
Sun Aug 7 13:18:14 UTC 2016


On 07/08/16 23:13, Florian Pritz wrote:
> On 07.08.2016 08:28, Allan McRae wrote:
>> A commit message would be nice...
> 
> Would a copy of the manpage description be fine or do you have something
> else in mind?
> 
>> Is there any reason PGP checksums are not checked?
> 
> I don't see a mention of checksum-only verification in the gpg manpage
> so I'll assume you mean signatures here.
> 
> The main reason is that I'm not sure if it is really necessary. If we
> want to catch obvious problems (missing or broken package file),
> checking the sha256 and md5 hashes is enough. PGP opens a whole can of
> worms starting with the simple issue that this script should also be
> useful to mirror admins that want to check if their mirror is good.
> Those servers may not run the distro for which they provide a mirror and
> they probably don't have the keys in their keyring so verifying the
> signatures is not easily possible.
> 
> I currently don't consider the feature worth adding, but I haven't
> thought about it too much, which is why the TODO has a question mark at
> the end. If you want, I can remove that line entirely given I've thought
> about it some more now and still don't see a huge value in having it.
> 

I didn't actually see the TODO - I was purely commenting based on the
man page.  Get rid of the TODO, and put a very brief description in the
commit message and I will apply.   (I am assuming it is tested due to
not knowing perl that well...)

A


More information about the pacman-dev mailing list