On 07/30/2015 07:35 PM, fauno wrote: > Icarious <[email protected]> writes: > >>> should we sign pkgbuilds from arch then? >>> >>> -- >>> .oÓ) >> Ideally we should. But given that its not possible at the moment, the >> least we could do is find a balance between "consistent" source code >> management and security. So as signing git commits "cannot" serve abs >> users, I think its best to use "gpg --verify PKGBUILD.sig PKGBUILD" >> instead of encouraging to use two different source code management >> methods by forcing git "for security". > iirc librerelease signs and uploads pkgbuilds (and other local files) to > repo, what's the current use on that? > > > I think that librerelease only signs the compiled binaries. I've used it several times now and it never signed the PKGBUILDs. If it is intended to do that it may be a non-working or undocumented feature...
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
