[pacman-dev] makepkg: verify git sources
Eli Schwartz
eschwartz93 at gmail.com
Thu Dec 8 15:01:42 UTC 2016
On 12/08/2016 09:45 AM, Travis Burtrum wrote:
> For a #commit=hash you shouldn't have to verify anything, since git
> itself guarantees that the code under a specific commit hash cannot change.
>
> Everything else can change, including tags, so those are suitable for
> pgp verification.
Well, that would be just as good as having checksums, which is certainly
something.
But it is also completely missing the fundamental point of "PGP"
verification.
...
If users want to assume the maintainer has already checked the PGP
signatures for proof of authorship, and simply rely on the checksums
being accurate, they can use --skippgpcheck. Personally, I will continue
on with checking pgp signatures...
I don't see why signed git commits should be different from files with
sha256sums in that respect.
--
Eli Schwartz
More information about the pacman-dev
mailing list