On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx@xxxxxxxxxxxxx> wrote: > > On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > > As a middle ground, I think it would be more reasonable (or at least, > > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at > > least parts of them. For an existing example, OpenBSD's signify(1) uses > > their cryptographic signature system to sign a simple list sha256sums. > > > > Perhaps makepkg could include, e.g., a sha256sumsigs array, that > > contains a PGP signature (signed by the developer/TU's official key) > > of the contents (properly serialised by makepkg so there's a minimum > > of possible ambiguity) of the sha256sums array? > > > > That is literally a _completely_ different topic that addresses > _completely_ different areas. > You are speaking about authenticating the build scripts itself. That > does not solve _anything_ at all what this thread/topic/todo-list is about. > > Don't get me wrong: I don't judge about it at all, I'm just saying that > both are fully independent from each other and you should please open a > new thread if you want to discuss this rather then hijack this thread :) > > cheers, > Levente > Yes, these are two totally different subjects: "Encourage the use of PGP signatures in our `source`" and "Using HTTPS on our `source`". Let's stick to the original subject :) I am all in favor of a script to turn `http` into `https` when available. Yeah HTTPS "brings a false sense of security" but still it hardens a link in the build process. Sorry for your caches guys, I might miss some background here but I couldn't imagine any reason to go against adding some more security in our build process.
