On 04/01/15 05:03 PM, Doug Newgard wrote: > On Sun, 4 Jan 2015 22:05:21 +0100 > Christian Hesse <list@xxxxxxxx> wrote: > >> Hello everybody, >> >> pacman 4.2.0 gained support for verifying source tarballs with >> kernel.org style signature. Some (even essential) packages could >> benefit from that, linux and git come to mind. >> >> How to handle this? Report a bug for every package? Provide a list >> here? > > A lot of it is already happening: > https://www.archlinux.org/todo/validpgpkeys-integrity-check/ > > If you want it added to a package that isn't on that list, the bug > tracker is probably the best bet. Note that the linux package already > has it. > > Doug That rebuild is just to fix packages that were already using GPG signatures and need the fingerprint(s) added. There are a lot that could be using them and aren't yet. This could likely be automated to a large extent. Using a script to detect if HTTPS works for fetching the sources along with checking for signature files by appending .asc and .sig seems like a promising plan.
Attachment:
signature.asc
Description: OpenPGP digital signature
