Re: Severity of Failed checksum for PKGBUILD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


> I understand that the metadata changed which changed the checksum,
> but that doesn't really change the question of what to do with
> source code versioning systems that have changing checksums and the
> need to supply source code for GPL projects.

if i understand you correctly, you want to be able to prove, that a
certain source was used in a certain PKGBUILD to generate a certain
binary package you are looking at.
that kind of security is not built into arch. you cannot even prove
that the PKBUILD from abs or svn reflects the one that was used to
build that package you have.
it is a well-intended question to ask for GPL compliance and provable
sources, but that is not happening in arch.
its about trust (thats why they are called TU!), and the problem you
try to solve ist ill-defined.
that aside, i think, that rebuilding packages should be possible
(correct checksums etc), but it can fail for a bunch of reasons, so
its not the TUs fault mostly.

0,02€
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJU50dJAAoJELKHx5nAxn3sKssIAIj2vyA4vuxvbbmS7mv8z41E
vyaCP6gZPWTCi0lA4xEIiRamgIV4QgLYmv7a5BR3xfoOvc/vxTzIOhBWqgigf7Y7
u34vYOCfcUcyKT1pse8mbuOHiTVd78LDanugX/TAkRzwM4y4aq/HXlLaXjiz6LC1
g7Rh9QCzqsMO+a8/KfClQXvIT1od1Frvgxnh5LQqgzZ47iVbkJfNUVbqCBmLVybi
vjmdO3Zma5Qq0xiFbR3gAewKMcpl7EBs6svvv82BreHYyQf8VdPKderLtjqhCaR8
bMldKGuaH1RW6oDAmMZNdIANgzmBFs3FmgVfrV/pjHYBvAAe/zcuKGlWQgmfP8Q=
=d7Rj
-----END PGP SIGNATURE-----


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux