> I don't see any way around this yet. You could do this in batch if > desired. > parallel gpg --default-key [yourkey] -b ::: PKGBUILD > > If people are using abs it pulls PKGBUILD and related source files, > adding a .sig allows abs users to validate the PKGBUILD was created by > the claimed PKBUILD Maintainer.
PKGBUILDs should not be edited only by their maintainers. If abs is insecure, we should deprecate abs, not make git merges and rebases require manual work of fixing the signatures. > Even then unless the git is signed it'll be very hard > to determine how that happened since everyone is using the same git > user, and it would be trivially easy to spoof username in gitconfig > should an attacker actually gain access. But you want people to sign commits with their GPG keys? > Regarding the code review, thankfully gpg is pretty straight forward > since we can use --verify. Code review means that someone else would read the git patch and approve it before the package is uploaded. Yes, this procedure makes the (nonexistent) review harder.
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
