[pacman-dev] Could makepkg verify .dsc file?
Olivier Brunel
jjk at jjacky.com
Fri Dec 16 21:24:32 UTC 2016
On Fri, 16 Dec 2016 16:04:06 -0500
Eli Schwartz <eschwartz93 at gmail.com> wrote:
> On 12/16/2016 03:40 PM, Olivier Brunel wrote:
> > Well, for the record there is a patch[1] for doing just that (and a
> > bit more) actually. Because indeed a few upstreams do not provide
> > signatures of the source code directly, but either detached sig of
> > a checksum file, or checksums as a signed message. The patch in
> > question handles both cases.
> >
> > And as it happens, it will work with firefox upstream, amongst
> > others. (Though not with the .dsc files from Debian mentionned in
> > this thread.)
> >
> > Cheers,
> >
> >
> > [1]
> > https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
>
> Hmm, I had forgotten that. I see that Allan objected to that on the
> grounds that upstream could re-release the sums e.g. after adding a
> new artifact to the hundred or so in the Firefox file. So you would
> either have spurious failures, or be unable to detect re-releases.
Not exactly, as long as you put the hash of the file in the PKGBUILD,
any change from upstream would be cought. I believe what Allan pointed
out was that using SKIP for the file could lead to such things, but
that would be a packaging rule to follow to ensure things don't happen.
More information about the pacman-dev
mailing list