On 05/06/2018 01:08 PM, notify--- via aur-requests wrote: > Request #11319 has been rejected by Eschwartz [1]: > > Checksums don't add security, that's why they're the "integrity > check", not the "security check". Do you know how many [core] packages > don't have PGP signatures available at all? Those are used on far more > devices.
Really I should clarify. I've actually fought for the use of integrity checksums more, e.g. unsuccessfully asking for --geninteg to default to better checksums. Even a non-perfect fix is better than nothing, and every bit helps. I also prefer when using git sources to pin the #commit= instead of tags. This wasn't my main reason for rejecting your request though, instead this was: > Granted, using PGP when available is always nice. But I don't see you > screeching at the non-dkms package maintainer to fix *his* packages > which don't use PGP either... > > So much for the "security flaw". In the comments you complained that PGP is not used, but you're involved with archzfs (and therefore hardly objective). What I find interesting is the sheer gall in essentially saying we should forcibly orphan a package because we don't like his checksum policies, then capping that off by complaining about the lack of PGP *when archzfs does the exact same thing*. And you're even involved with that and could fix it far easier. archzfs may take 10 months to still not merge the fix for erroneously depending on a specific pkgrel of the kernel, and the code may be nearly as bad/unreadable as the average GNU project, or perhaps the output of grub-mkconfig (a scarily apt comparison between two horrible autogenerators)... but it seems to have a pretty fair track record of *listening* and engaging in dialogue with users. > As for maintainers taking "weeks for a simple update", not everyone > can update the very day something is released, you get what you pay > for and sometimes not even that in the AUR. This is why we offer > maintainers grace periods, because otherwise no one would be able to > maintain packages for more than two or three upstream updates before > some overwrought individual throws a tantrum and claims the package > for themselves. This is really the only thing that matters at the end of the day. > We can discuss this as and when that becomes relevant, but this is not > even currently out of date... > Your false complaint about security gets extra points taken off of my > likelihood to care what you have to say. False might be too strong a word, it's just hypocritical and overinflated for the actual magnitude of the issue. -- Eli Schwartz Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
