Le 08/12/2016 à 01:57, Leonid Isaev a écrit : > On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: >> On 08/12/16 08:51, sivmu wrote: >>> Am 07.12.2016 um 10:49 schrieb Allan McRae: >>>>> ... >>>>> I advocate keeping md5sum as the default because it is broken. If I see >>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and >>>>> not pgp signature), I know that they have done nothing to actually >>>>> verify the source themselves. >>>>> ... >>> That is a very dangerous assumtion. I know for a fact that many >>> maintainers used md5 for verification because it is the default. >>> There are/were maintainers that downloaded the source, verified the pgp >>> signature and generated the md5 checksum to include it in the PKGBUILD >>> (without the pgp signature) >> Idiots... so again using md5sums as the default saves me from people >> who don't know how to package. > Actually, this might not be so crazy. Sometimes you get a signed sha*sums file > instead of signed source, so you don't include the key in validpgpkeys array. > For example, when building Firefox, I have to manually verify the sig on > SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm > paranoid... I guess one can simply do makepkg -g, hmm. > > Hence the question, why have this flag at all? And should it be possible to > specify an external (signed) hash-file in PKGBUILD? > > Thx, > L. What is wrong with adding the sha*sum file and its signature in the source array and then use validpgpkeys? Bruno
Attachment:
signature.asc
Description: OpenPGP digital signature
