On 20 March 2018 at 00:59, Ryan Schmidt wrote: > It's been pointed out before than when updating a port to a new version, one > should not just update the version and checksums in the portfile; one should > also verify at least one of those checksums with the ones published by the > developers -- assuming the developers publish them. > > It would be great if livecheck could help us with that. So in addition to > specifying the current livecheck.url and livecheck.regex for extracting an > available new version number, there should be new options where a port could > specify a url for a page where that new version's checksums are published, > and regexes for extracting them. > > Once that's done, it makes it easier to implement a better "bump" command -- > one that can use any published checksums and compute the rest, and warn if no > checksums were published. > > https://trac.macports.org/ticket/53851 > > One possibile interface: > > default livechecksum.type {none} > default livechecksum.url {${livecheck.url}} > default livechecksum.ignore_sslcert {${livecheck.ignore_sslcert} > > default livechecksum.md5 {the first distfile's md5} > default livechecksum.md5.url {${livechecksum.url}} > default livechecksum.md5.ignore_sslcert {${livechecksum.ignore_sslcert}} > default livechecksum.md5.regex {""} > > (repeat for the other checksum types sha1, rmd160, sha256, sha512, and maybe > size)
Do you also want to support signatures then? Public keys are pretty long though, but they usually don't change. One example: https://waf.io Mojca
