s/possible/possibly/ s/checksum in there/checksum in the PKGBUILD as usual/
On Mon, Oct 21, 2013 at 10:19 PM, Ido Rosen <[email protected]> wrote: > - Do PKGBUILDs support signing the PKGBUILD and verifying that signature? > (This seems like a good feature for yaourt or possible makepkg if it isn't > one already.) > It seems like if you want safety from MITM attacks, PGP sigs are the way > to go, either sign the PKGBUILD and put the checksum in there, or include > the signature of the source file in the tarball/pkg. (This is already > provided for binary pkgs, but not source ones, correct? Seems easy enough > to add a PKGBUILD signature and teach makepkg to use it.) > > > > On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <[email protected]>wrote: > >> ---------------------------------------- >> > From: [email protected] >> > Date: Tue, 22 Oct 2013 01:56:16 +0100 >> > To: [email protected] >> > Subject: [aur-general] Support for remote sums in PKGBUILDs >> > >> > Breaking away from an IRC convo from this morning; has support for >> > remote sums been considered for pacman? >> > It's currently possible to do this for .sig files (through the source >> > array), but not available for simple sha/md5 hashes. This would let >> > packagers do something like: >> > source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz";) >> > sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1";) >> > >> > (Of course, only for servers that generate a programmatically >> > discoverable hash of some sort; but it's not actually uncommon) >> > >> > J. Leclanche >> >> Couldn't you just do: >> sha1sums=("$(curl >> http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)") >> >> It kind of defeats the purpose, though. If the server is hacked or >> someone does a MitM, they can easily replace the checksum file as well. >> > > >
