> On a side note, with the release of AUR 4.0.0, we are no longer going > to use source tarballs. Every source package will have its own Git > repository and you can use signed tags or signed commits.
Actually that is more than a side note, that answers my main concern. Glad to hear that it would be possible to ensure end-to-end verification in a future AUR version. Just curious, do you have an idea of the planning of 4.0.0 release? (Very roughly: 6 months, 1 year, more?) > So I think it is kind of pointless to discuss signed source tarballs > now... I agree
pgpbA3ZxCrKJ7.pgp
Description: PGP signature
