On 10/15/18 12:27 AM, Baptiste Jonglez wrote: > On 15-10-18, Levente Polyak via aur-general wrote: >> On 10/14/18 11:35 PM, Daniel Bermond via aur-general wrote: >>> >>> I usually don't use pgp on my aur packages because people tend to >>> complain a lot about building issues. They fail to handle the keys and >>> start complaining to the packager, and this is a big stress. When >>> dealing with repository packages this is another story, of course. Since >>> this was raised as a main issue, I'll be adding the pgp checks back again. >>> >> >> So let me summarize what you are saying, correct me if im wrong: >> >> You fully know whats all the gizzle with gpg. Instead of acting like a >> trustable user who follows best practice and spreads good advice and >> helps teaching people about how all this works properly you prefere to >> pull the lazy card because its what? big stress? Serious? >> I don't even find words to describe how untrustworthy this is to the >> community to prefer to remove GPG signatures instead of educating users? > > What a warm way to welcome people. A bit of fact-checking doesn't hurt: > > $ pkgver=4.16.1 > $ wget > "https://www.apache.org/dist/flex/${pkgver}/binaries/apache-flex-sdk-${pkgver}-bin.tar.gz"{,.asc} > $ gpg --verify apache-flex-sdk-4.16.1-bin.tar.gz.asc > gpg: assuming signed data in 'apache-flex-sdk-4.16.1-bin.tar.gz' > gpg: Signature made mer. 15 nov. 2017 09:44:37 CET > gpg: using RSA key 44998F3E242727E94C4BADEB6B0A7EC905061FC8 > gpg: Can't check signature: No public key > > $ gpg --search-keys 44998F3E242727E94C4BADEB6B0A7EC905061FC8 > gpg: data source: http://192.146.137.99:11371 > (1) Piotr Zarzycki (CODE SIGNING KEY) <[email protected]> > 4096 bit RSA key 6B0A7EC905061FC8, created: 2017-06-17 (revoked) > Keys 1-1 of 1 for "44998F3E242727E94C4BADEB6B0A7EC905061FC8". Enter > number(s), N)ext, or Q)uit > > > > Baptiste >
Fact checkin what? I didn't respond to a specific case, I responded to a general statement: "I usually don't use pgp on my aur packages because people tend to complain a lot about building issues." And that statement applies to parts of your comment as well... no I frankly don't understand that someone would not like to because its stress. We then better add base-devel to makedepends as well, right?
signature.asc
Description: OpenPGP digital signature
