On Mar 20, 2018, at 09:26, Mojca Miklavec wrote: > On 20 March 2018 at 00:59, Ryan Schmidt wrote: >> It's been pointed out before than when updating a port to a new version, one >> should not just update the version and checksums in the portfile; one should >> also verify at least one of those checksums with the ones published by the >> developers -- assuming the developers publish them. >> >> It would be great if livecheck could help us with that. So in addition to >> specifying the current livecheck.url and livecheck.regex for extracting an >> available new version number, there should be new options where a port could >> specify a url for a page where that new version's checksums are published, >> and regexes for extracting them. >> >> Once that's done, it makes it easier to implement a better "bump" command -- >> one that can use any published checksums and compute the rest, and warn if >> no checksums were published. >> >> https://trac.macports.org/ticket/53851 >> >> One possibile interface: >> >> default livechecksum.type {none} >> default livechecksum.url {${livecheck.url}} >> default livechecksum.ignore_sslcert {${livecheck.ignore_sslcert} >> >> default livechecksum.md5 {the first distfile's md5} >> default livechecksum.md5.url {${livechecksum.url}} >> default livechecksum.md5.ignore_sslcert {${livechecksum.ignore_sslcert}} >> default livechecksum.md5.regex {""} >> >> (repeat for the other checksum types sha1, rmd160, sha256, sha512, and maybe >> size) > > Do you also want to support signatures then? > Public keys are pretty long though, but they usually don't change. > > One example: https://waf.io
I have given no thought to the question of adding the ability for MacPorts to verify signatures. If you want to discuss it, I'd prefer you open a separate thread so we can keep this thread focused on livecheck improvements.
