Icarious <[email protected]> writes: >> >> should we sign pkgbuilds from arch then? >> >> -- >> .oÓ) > Ideally we should. But given that its not possible at the moment, the >least we could do is find a balance between "consistent" source code >management and security. So as signing git commits "cannot" serve abs >users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD" >instead of encouraging to use two different source code management >methods by forcing git "for security".
iirc librerelease signs and uploads pkgbuilds (and other local files) to repo, what's the current use on that? -- P)
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
