> > should we sign pkgbuilds from arch then? > > -- > .oÓ)
Ideally we should. But given that its not possible at the moment, the least we could do is find a balance between "consistent" source code management and security. So as signing git commits "cannot" serve abs users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD" instead of encouraging to use two different source code management methods by forcing git "for security". -- Icarious GPG Public Key : 0x4428BA28AA2ACCD2 GPG Fingerprint : 6C37 E88E DD0B F042 7A15 676E 4428 BA28 AA2A CCD2 www.gnuos.in
pgpfbAlvMLOP5.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
