[pacman-dev] Could makepkg verify .dsc file?

Eli Schwartz eschwartz93 at gmail.com
Fri Dec 16 04:57:21 UTC 2016 

On 12/15/2016 06:23 PM, Bruno Pagani wrote:
> Le 16/12/2016 à 00:13, Allan McRae a écrit :
> 
>> On 16/12/16 08:29, Bruno Pagani wrote:
>>> Hi there,
>>>
>>> This is probably some sort of feature request or maybe more general asking.
>>>
>>> I have a case where sha*sums are provided in a .dsc signed file
>>> (bs1770gain, for which *sane* upstream is Debian:
>>> https://packages.debian.org/source/sid/bs1770gain). Apparently, makepkg
>>> only supports verifying file with detached signature. Is there a
>>> specific reason for that (like this use case is really tiny — I have no
>>> actual idea about this) or is it just because it was never implemented?
>>>
>> The format of signed checksum files varies a lot.  I don't want to
>> attempt to autodetect each one as that will create a future nightmare.
>>
>> Also, what is gained vs putting the checksums into the PKGBUILD?
>>
>> A
> 
> Easy verification of source for other people building the package (here
> from AUR, but could be from ABS). Or maybe I misunderstood the point of
> having PGP verification in makepkg?

PGP verification proves that upstream signed the sources. Debian .dsc
files prove nothing other than that Debian signed that download.

What exactly qualifies Debian as the "sane upstream" anyway?

What does authenticating Debian's checksums get us, that we couldn't
have gotten out of verifying the AUR maintainer's checksums?

Note that Allan has already vetoed the idea of upgrading the default
checksum type in makepkg, on the grounds that it doesn't really prove
anything, and nothing other than actual checksums or preferably PGP
signatures from the code author will prove *anything*.
So I don't see why yet more unproven checksums will be any different,
especially if it requires brand-new handling in makepkg specifically for
the purpose.

-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161215/7ddabea1/attachment.asc>

More information about the pacman-dev mailing list