[2016-10-31 15:19:40 +0100] NicoHood:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
>
> Using PGP signatures is another discussion, also the hash algorit
[2016-10-31 10:05:26 -0400] Dave Reisner:
> On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > I agree with Sébastien. We should encourage upstream to digitally sign
> > their releases, and verify their authenticity in our PKGBUILDs.
> >
> > Downloading releases over HTTPS gives a f
On Mon, Oct 31, 2016 at 03:33:42PM -0400, Dave Reisner wrote:
> On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
> > Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> > > Asking every upstream to provide a PGP signature isn't a process which
> > > will scale,
> >
> > I am against enfor
On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
> Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> > Asking every upstream to provide a PGP signature isn't a process which
> > will scale,
>
> I am against enforcing https for projects which provide signatures. As
> Sebastien pointed o
Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> Asking every upstream to provide a PGP signature isn't a process which
> will scale,
I am against enforcing https for projects which provide signatures. As
Sebastien pointed out, there are valid reasons against using https and
it adds no benefit when
I'd also vote for https. It does not hurt to use a secure channel to
download the sources from. It would be great if we as ArchLinux team
could make the first step into that direction.
However if you write such a script, it should also check if an https
download is available, as not all websites p
On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> [2016-10-31 03:23:48 +0100] Sébastien Luttringer:
> > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > > There's been a sizeable number of bugs filed over the past month or so
> > > about changin PKGBUILDs to acquire sources
=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/
There are currently:
* 2 new packages in last 24 hours
* 0 known bad packages
* 0 packages not accepting signoffs
* 6 fully signed off packages
* 47 packages missing signoffs
* 2 packages older than 14 days
(Note: t
8 matches
Mail list logo