On 04/01/15 04:05 PM, Christian Hesse wrote:
> Hello everybody,
>
> pacman 4.2.0 gained support for verifying source tarballs with kernel.org
> style signature. Some (even essential) packages could benefit from that,
> linux and git come to mind.
>
> How to handle this? Report a bug for every package? Provide a list here?
I would create a wiki page with the list and then see if you can find a
developer interested in mass-adding the missing signatures. I'd be
interested in helping with it for [community], but you'll likely be able
to do it yourself soon ;).
Note that you should check svn rather than abs because theres usually no
rebuild for something like this. The linux{-lts,-grsec} packages are
using the new feature now.
I expect that this can be automated to a large extent. Looking for files
with .asc / .sig extensions doesn't need to be done by hand. It also
makes sense to figure out which packages can use HTTPS to fetch sources
since that's a lot better than nothing if no signatures are available.
Attachment:
signature.asc
Description: OpenPGP digital signature
