On 07/08/16 23:13, Florian Pritz wrote: > On 07.08.2016 08:28, Allan McRae wrote: >> A commit message would be nice... > > Would a copy of the manpage description be fine or do you have something > else in mind? > >> Is there any reason PGP checksums are not checked? > > I don't see a mention of checksum-only verification in the gpg manpage > so I'll assume you mean signatures here. > > The main reason is that I'm not sure if it is really necessary. If we > want to catch obvious problems (missing or broken package file), > checking the sha256 and md5 hashes is enough. PGP opens a whole can of > worms starting with the simple issue that this script should also be > useful to mirror admins that want to check if their mirror is good. > Those servers may not run the distro for which they provide a mirror and > they probably don't have the keys in their keyring so verifying the > signatures is not easily possible. > > I currently don't consider the feature worth adding, but I haven't > thought about it too much, which is why the TODO has a question mark at > the end. If you want, I can remove that line entirely given I've thought > about it some more now and still don't see a huge value in having it. >
I didn't actually see the TODO - I was purely commenting based on the man page. Get rid of the TODO, and put a very brief description in the commit message and I will apply. (I am assuming it is tested due to not knowing perl that well...) A
