> i don't see why signing the pkgbuild is required when signing the whole > commit achieves the same thing and is easily verifiable with: git pull > --rebase --verify-signatures
I think every time we talk on exclusively basing a design just cause we have git, we must remember that its not only Parabola PKGBUILDs we deal with. Most of our PKGBUILDs are inclusive of Packages from Arch too and abslibre `does not` clone them at all. So the user is left with either 1) use abs, 2) Go to Arch's git web interface and individually download them. This argument has been discussed before and I have repeatedly brought it to everyone's attention that we can't have an inconsistent solution like "use git for Parabola's PKGBUILDs, and use Arch's git interface (which does have PKGBUILDs of non-free packages too) for majority of the packages that come from [core], [extra] and [community]". This is a very dirty way of source code management. So before anyone suggests in "IGNORING" abs completely cause " we have git " please do remember the PKGBUILDs that come from Arch. Unless we fix that part, abs remains the "consistent" method of downloading PKGBUILDs without confusing the user and referring them to the non-free arch git interface, and is henceforth important to sign pkgbuilds too. -- Icarious GPG Public Key : 0x4428BA28AA2ACCD2 GPG Fingerprint : 6C37 E88E DD0B F042 7A15 676E 4428 BA28 AA2A CCD2 www.gnuos.in
pgpIuBlkXRIMO.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
