Am 05.12.2016 um 23:45 schrieb Eli Schwartz via arch-general: > On 12/05/2016 05:25 PM, sivmu wrote: >> A LOT of packages do not use pgp validation even though upstream >> provides signatures. That is the real issue here. >> >> Let me say this again: everyone who is responsible for arch packages >> needs to be clearly advised to use all available methods to effectively >> verify upstream source files. >> >> Using a strong hash by default won't do that. > > AUR packages, or repo packages? There was a todo list[1] for the repos. > > For anything in the AUR you should definitely drop a comment on their > page. And change the wiki guidelines on packaging standards to mention this. > Wow thanks for the link, I did not kow that yet. That looks awesome.
Attachment:
signature.asc
Description: OpenPGP digital signature
