[arch-general] Proper use of signify in PKGBUILDs
Eli Schwartz
eschwartz at archlinux.org
Sun Jul 21 15:27:00 UTC 2019
On 7/21/19 9:19 AM, brent s. wrote:
> i can't speak for why it bothers Eli, but it bothers me because that's
> exactly what GPG detached sigs are already: signed hash checksums. The
> signify method is a signed hash checksum of a (list of) hash
> checksum(s). To me it feels like an unnecessary abstraction when one
> could just provide .sig files for each file and be more widely compatible.
The problem is a lot bigger, because "widely compatible" includes "being
compatible with makepkg's official validation mechanism" and that
unnecessary abstraction means it cannot, in fact, be used in makepkg
after all.
--
Eli Schwartz
Bug Wrangler and Trusted User
More information about the arch-general
mailing list