[pacman-dev] Could makepkg verify .dsc file?

Bruno Pagani bruno.pagani at ens-lyon.org
Fri Dec 16 22:11:06 UTC 2016


Le 16/12/2016 à 22:24, Olivier Brunel a écrit :

> On Fri, 16 Dec 2016 16:04:06 -0500
> Eli Schwartz <eschwartz93 at gmail.com> wrote:
>
>> On 12/16/2016 03:40 PM, Olivier Brunel wrote:
>>> Well, for the record there is a patch[1] for doing just that (and a
>>> bit more) actually. Because indeed a few upstreams do not provide
>>> signatures of the source code directly, but either detached sig of
>>> a checksum file, or checksums as a signed message. The patch in
>>> question handles both cases.
>>>
>>> And as it happens, it will work with firefox upstream, amongst
>>> others. (Though not with the .dsc files from Debian mentionned in
>>> this thread.)
>>>
>>> Cheers,
>>>
>>>
>>> [1]
>>> https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html  
>> Hmm, I had forgotten that. I see that Allan objected to that on the
>> grounds that upstream could re-release the sums e.g. after adding a
>> new artifact to the hundred or so in the Firefox file. So you would
>> either have spurious failures, or be unable to detect re-releases.
> Not exactly, as long as you put the hash of the file in the PKGBUILD,
> any change from upstream would be cought. I believe what Allan pointed
> out was that using SKIP for the file could lead to such things, but
> that would be a packaging rule to follow to ensure things don't happen.

I totally agree with this. :)

Quite funnily, this is why I thought the feature I would like makepkg to
have was easy to have, because having already downloaded the signed file
to add its sha*sum to the corresponding array, it allowed makepkg to
correctly parse it with whatever I had put in the sha*sum array, while
this doesn’t work if the file isn’t already downloaded.

Bruno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161216/db59cb34/attachment.asc>


More information about the pacman-dev mailing list