On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: > As a middle ground, I think it would be more reasonable (or at least, > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at > least parts of them. For an existing example, OpenBSD's signify(1) uses > their cryptographic signature system to sign a simple list sha256sums. > > Perhaps makepkg could include, e.g., a sha256sumsigs array, that > contains a PGP signature (signed by the developer/TU's official key) > of the contents (properly serialised by makepkg so there's a minimum > of possible ambiguity) of the sha256sums array? >
That is literally a _completely_ different topic that addresses _completely_ different areas. You are speaking about authenticating the build scripts itself. That does not solve _anything_ at all what this thread/topic/todo-list is about. Don't get me wrong: I don't judge about it at all, I'm just saying that both are fully independent from each other and you should please open a new thread if you want to discuss this rather then hijack this thread :) cheers, Levente
signature.asc
Description: OpenPGP digital signature
