[pacman-dev] Could makepkg verify .dsc file?
Eli Schwartz
eschwartz93 at gmail.com
Fri Dec 16 21:04:06 UTC 2016
On 12/16/2016 03:40 PM, Olivier Brunel wrote:
> Well, for the record there is a patch[1] for doing just that (and a
> bit more) actually. Because indeed a few upstreams do not provide
> signatures of the source code directly, but either detached sig of
> a checksum file, or checksums as a signed message. The patch in question
> handles both cases.
>
> And as it happens, it will work with firefox upstream, amongst others.
> (Though not with the .dsc files from Debian mentionned in this thread.)
>
> Cheers,
>
>
> [1]
> https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Hmm, I had forgotten that. I see that Allan objected to that on the
grounds that upstream could re-release the sums e.g. after adding a new
artifact to the hundred or so in the Firefox file. So you would either
have spurious failures, or be unable to detect re-releases.
Although I don't know if there are any stats on how often a checksums
file will get updated by upstream like that. Is that a significant concern?
--
Eli Schwartz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161216/a3f3ba5b/attachment.asc>
More information about the pacman-dev
mailing list