Le 11/12/2016 à 20:46, Ralf Mardorf a écrit : > Hi, > > you likely noticed the discussion about "Stronger Hashes for PKGBUILDs" > on Arch general. I wonder if there is any reason to avoid validpgpkeys > for PKGBUILDs of the AUR? > https://aur.archlinux.org/packages/freetype2-infinality/ ? > > If upstream, e.g. kernel.org signs the source, then IMO nothing is > wrong with including it to the PKGBUILD. I prefer signed sources. > > Actually this is done for at least linux. > > $ grep validpgpkeys -A3 /var/abs/core/linux/PKGBUILD > validpgpkeys=( > 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds > '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman > ) > > Regards, > Ralf
Hi, No reason as far as I can see, excepted perhaps the fact most users don’t understand what happens when they have a failure on ` ==> Verifying source file signatures with gpg...` because they didn’t add the key to their keyring, despite a pinned comment telling to do so… But if we start to consider such things as valid reasons, we’re doomed. Personally, I make use of this on as much packages I maintain as possible, while pinning a comment redirecting to https://wiki.archlinux.org/index.php/Makepkg#Signature_checking, while also mentioning --skippgpcheck because it’s always mentioned in the comments at some point, so rather have it with a warning in the pinned comment. Cheers, Bruno
signature.asc
Description: OpenPGP digital signature