[pacman-dev] [PATCH] makepkg: Verify git signatures

Eli Schwartz eschwartz93 at gmail.com
Tue Jan 3 07:41:51 UTC 2017

On 01/03/2017 12:22 AM, Allan McRae wrote:
> Needs documentation added.  e.g. can the query string occur anywhere
> relative to the fragment?

I wrote it so it should work either way, #fragment?query or
?query#fragment -- should we prefer one over the other?

For documentation: just add a new paragraph in PKGBUILD.5 under "USING
VCS SOURCES" (and tweak the wording to fit)?

> I'm guessing other modern VCS tools can have signatures verified too?

I would be pleasantly surprised if that were true.

AFAIK only git and mercurial can really be considered a "modern VCS",
and it seems mercurial can only do this via an optional thirdparty
plugin (commitsigs) or separately track a file containing signed hashes
-- one extra commit per signature -- via an optional builtin plugin (gpg).

Either one requires, in true mercurial fashion, explicitly enabling via
.hgrc. And using the non-thirdparty plugin is apparently recommended
against for what I imagine are obvious reasons.

> This function will become a mess when they are included.  Please split
> out git and standard file verification to their own functions called
> within this one.

When? Or if? Would it even be reasonable to try implementing Mercurial
signature verification? If not, does it still make sense to split out
the git verification from file verification?

Anyway, that case statement is VCS-agnostic, except for the check to
make sure we are using a (supported) VCS, and the fallthrough. Although
maybe the fallthrough should be handled when expanding the variable
later on?
I'll look at splitting each sourcetype into functions to generate the
statusfile though, since there is already a bit of unpleasantly
convoluted logic there.

Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170103/21c16f30/attachment.asc>

More information about the pacman-dev mailing list