Le 10/12/2016 à 00:30, Leonid Isaev a écrit : > On Fri, Dec 09, 2016 at 03:15:34PM +0100, Bruno Pagani wrote: >> Le 08/12/2016 à 01:57, Leonid Isaev a écrit : >> >>> On Thu, Dec 08, 2016 at 10:34:59AM +1000, Allan McRae wrote: >>>> On 08/12/16 08:51, sivmu wrote: >>>>> Am 07.12.2016 um 10:49 schrieb Allan McRae: >>>>>>> ... >>>>>>> I advocate keeping md5sum as the default because it is broken. If I see >>>>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and >>>>>>> not pgp signature), I know that they have done nothing to actually >>>>>>> verify the source themselves. >>>>>>> ... >>>>> That is a very dangerous assumtion. I know for a fact that many >>>>> maintainers used md5 for verification because it is the default. >>>>> There are/were maintainers that downloaded the source, verified the pgp >>>>> signature and generated the md5 checksum to include it in the PKGBUILD >>>>> (without the pgp signature) >>>> Idiots... so again using md5sums as the default saves me from people >>>> who don't know how to package. >>> Actually, this might not be so crazy. Sometimes you get a signed sha*sums file >>> instead of signed source, so you don't include the key in validpgpkeys array. >>> For example, when building Firefox, I have to manually verify the sig on >>> SHA512SUMS and then paste the sha512sum into PKGBUILD. But this is because I'm >>> paranoid... I guess one can simply do makepkg -g, hmm. >>> >>> Hence the question, why have this flag at all? And should it be possible to >>> specify an external (signed) hash-file in PKGBUILD? >>> >>> Thx, >>> L. >> What is wrong with adding the sha*sum file and its signature in the >> source array and then use validpgpkeys? > And then what? Then makepkg would check the sigs on the sha*sum file, and you could either grep the sum from this file to use it in the PKGBUILD automatically (which is done in firefox-nightly-fr, probably not optimally now that I thought about it) or have a function to later verify the sum (don’t like that way, but it’s done in firefox-nightly for instance), or copy it by hand if it is for a stable package (which seems to be your use case). The goal here being that other people using the PKGBUILD get the same GPG verification.
Attachment:
signature.asc
Description: OpenPGP digital signature
