On 15-10-18, Levente Polyak via aur-general wrote: > On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote: > > > > I usually don't use pgp on my aur packages because people tend to > > complain a lot about building issues. They fail to handle the keys and > > start complaining to the packager, and this is a big stress. When > > dealing with repository packages this is another story, of course. Since > > this was raised as a main issue, I'll be adding the pgp checks back again. > > > > So let me summarize what you are saying, correct me if im wrong: > > You fully know whats all the gizzle with gpg. Instead of acting like a > trustable user who follows best practice and spreads good advice and > helps teaching people about how all this works properly you prefere to > pull the lazy card because its what? big stress? Serious? > I don't even find words to describe how untrustworthy this is to the > community to prefer to remove GPG signatures instead of educating users?
What a warm way to welcome people. A bit of fact-checking doesn't hurt: $ pkgver=4.16.1 $ wget "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc} $ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz' gpg: Signature made mer. 15 nov. 2017 09:44:37 CET gpg: using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8 gpg: Can't check signature: No public key $ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8 gpg: data source: http://192.146.137.99:11371 (1) Piotr Zarzycki (CODE SIGNING KEY) <[email protected]> 4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked) Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8". Enter number(s), N)ext, or Q)uit > Baptiste
signature.asc
Description: PGP signature
