[arch-general] Stronger Hashes for PKGBUILDs
sivmu
sivmu at web.de
Mon Dec 5 22:59:31 UTC 2016
Am 05.12.2016 um 23:45 schrieb Eli Schwartz via arch-general:
> On 12/05/2016 05:25 PM, sivmu wrote:
>> A LOT of packages do not use pgp validation even though upstream
>> provides signatures. That is the real issue here.
>>
>> Let me say this again: everyone who is responsible for arch packages
>> needs to be clearly advised to use all available methods to effectively
>> verify upstream source files.
>>
>> Using a strong hash by default won't do that.
>
> AUR packages, or repo packages? There was a todo list[1] for the repos.
>
> For anything in the AUR you should definitely drop a comment on their
> page. And change the wiki guidelines on packaging standards to mention this.
>
Wow thanks for the link, I did not kow that yet. That looks awesome.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161205/ffe4338b/attachment.asc>
More information about the arch-general
mailing list