On 19/02/15 11:39 PM, Mark Lee wrote: > On 02/19/2015 05:46 PM, Mark Lee wrote: >> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: >>> On 19 February 2015 at 21:42, Doug Newgard <scimmia@xxxxxxxxxxxxxx> wrote: >>>> You can't. If upstream provides a checksum, that gives you some verification, >>>> but since github doesn't, there's no way to verify any of it. >>> >>> I don't know about github, but with bitbucket the checksums of these >>> generated tarballs may change occasionally as I had this issue with >>> luxrender. However, the sources were always the same, it was the >>> metadata that changed. >>> >> >> How important are checksums to PKGBUILDS then? Should sources with >> varying checksums just have 'SKIP' in their integrity arrays? >> >> Regards, >> Mark >> > > Furthermore, if the integrity check is different from upstream, is a > packager obligated to host a copy of the source code for GPLed software? > > Regards, > Mark No... the integrity check not matching is not because an out-of-tree source tree was used. The checksums are certainly not there to improve security, that's what GPG signatures are for.
Attachment:
signature.asc
Description: OpenPGP digital signature
