On 12/05/2016 05:25 PM, sivmu wrote: > A LOT of packages do not use pgp validation even though upstream > provides signatures. That is the real issue here. > > Let me say this again: everyone who is responsible for arch packages > needs to be clearly advised to use all available methods to effectively > verify upstream source files. > > Using a strong hash by default won't do that. AUR packages, or repo packages? There was a todo list[1] for the repos. For anything in the AUR you should definitely drop a comment on their page. And change the wiki guidelines on packaging standards to mention this. -- Eli Schwartz [1] https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/
