Icarious <[email protected]> writes: >> i don't see why signing the pkgbuild is required when signing the whole >> commit achieves the same thing and is easily verifiable with: git pull >> --rebase --verify-signatures > > I think every time we talk on exclusively basing a design just cause we have > git, we must remember that its not only Parabola PKGBUILDs we deal with. Most > of our PKGBUILDs are inclusive of Packages from Arch too and abslibre `does > not` clone them at all. So the user is left with either 1) use abs, 2) Go to > Arch's git web interface and individually download them. > > This argument has been discussed before and I have repeatedly brought it to > everyone's attention that we can't have an inconsistent solution like "use > git for Parabola's PKGBUILDs, and use Arch's git interface (which does have > PKGBUILDs of non-free packages too) for majority of the packages that come > from [core], [extra] and [community]". This is a very dirty way of source > code management. So before anyone suggests in "IGNORING" abs completely cause > " we have git " please do remember the PKGBUILDs that come from Arch. Unless > we fix that part, abs remains the "consistent" method of downloading > PKGBUILDs without confusing the user and referring them to the non-free arch > git interface, and is henceforth important to sign pkgbuilds too.
should we sign pkgbuilds from arch then? -- .oÓ)
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
