Re: Severity of Failed checksum for PKGBUILD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 20/02/15 10:26 AM, Mark Lee wrote:
>
> However, the issue still stands regarding checksums. Perhaps packages
> with metadata changes should just not include checksums? Or, they could
> just link to the sources.archlinux.org in those cases with checksums.

Ideally, devtools would generate a source package, sign it and upload it
along with the binary packages. It would eliminate the minor flaws in
the current GPL compliance and there would actually be a way to obtain
the original sources used to build the package and compare to whatever
upstream currently offers.

The source packages are currently generated by a cron job on the
server... I'm sure patches are welcome but you aren't going to find many
people who really care.

> In addition, I was thinking more along the lines of coercion.

I don't know what you mean. The checksums prove absolutely nothing about
how the binary package was built. The packager can provide whatever
checksums they want, regardless of what sources they used to build the
package.

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux