Hi, On 02/20/2015 03:22 PM, Daniel Micay wrote: > On 20/02/15 09:03 AM, Mark Lee wrote: >> I understand that the metadata changed which changed the checksum, but >> that doesn't really change the question of what to do with source code >> versioning systems that have changing checksums and the need to supply >> source code for GPL projects. > > Checksums aren't sources. Checksums aren't a proof that the package was > built from those sources. Checksums also aren't a valuable security > mechanism, unlike the support for GPG verification of sources. They're > blindly updated on every release and clobbering release is common... so > we've all learned to ignore checksum failures. I don't understand what > this has to do with the GPL. > Checksums proof that the sources you downloaded when running makepkg are the same sources the author of the PKGBUILD used. This can be a valuable security measure when those sources are not downloaded on a secure connection (http instead of https and the like). I'm not sure if downloads over the git:// protocol are actually verified, because the transfer is definitely not secure. I do hope so. Greetings, Florian
