On 16-11-26 19:27:37, Eli Schwartz via aur-general wrote: > On 11/26/2016 01:01 AM, Florian Bruhin wrote: > >> * Upstream does not provide any GPG signature of the tarballs nor > >> commit signature. I've chosen to provide a detached GPG signature > >> of the downloaded tarball with my GPG key. For me, its better to > >> have this link-ability between the package maintainer and the > >> downloaded tarball than nothing at all. > > > > Not sure if that makes much sense, and FWIW I've had some issues with > > people not being able to install AUR packages with PGP keys. I don't > > recall exactly what the problem was though... > > This. GPG signatures are meant to prove that upstream really released > it, but if all you know is that the AUR maintainer *thinks* this is the > upstream release, you might as well just stick with checksums, which > will serve just as well to prove the source code is the same source code > the AUR maintainer used. > > Anyone who can defeat the checksum (by modifying your PKGBUILD) can also > defeat your own GPG key. > You are right I have remove this, my first goals was to sign my PKGBUILD file I don't think its possible ?
On 16-11-26 07:01:15, Florian Bruhin wrote: > > optdepends=('inkscape: tools for manipulating vector objects (eg: SVG > > files)') > > You'd usually put an explanation when/why inkscape is needed here. > Inkscape (or any other tool for SVG handling) is needed if one would like to see the result of generated document in SVG format. As there could be a long list I am not sure if such dependencies should be put into PKGBUILD, even in optdepends ? > > if [ -f LICENSE ]; then > > install -Dm0644 LICENSE > > "$pkgdir/usr/share/licenses/$pkgname/LICENSE" > > install -Dm0644 LICENSE > > "$pkgdir/usr/share/licenses/$pkgname/LICENSE.launcher" > > else > > warning "license file not found" > > fi > > Why would it ever not exist? I add this check in case upstream change for any reason and not break the build process. The warning should be enough to let me investigate. I generally don't perform operation on resource that could not be present, I just applied this here too. Thanks for your feedback, I have updated the PKGBUILD[0]. [0] https://git.bourgeois.eu/aur_python_viivakoodi.git/tree/
signature.asc
Description: PGP signature