[pacman-dev] makepkg: verify git sources
Travis Burtrum
travis.archlinux at burtrum.org
Thu Dec 8 14:45:36 UTC 2016
Hello,
Just a small comment.
On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
> * git url, but no #tag= or #commit= specified, should verify HEAD on the
> #branch or no tag, commit, branch case.
For a #commit=hash you shouldn't have to verify anything, since git
itself guarantees that the code under a specific commit hash cannot change.
Everything else can change, including tags, so those are suitable for
pgp verification.
Thanks,
Travis
More information about the pacman-dev
mailing list