On 12/16/2016 03:40 PM, Olivier Brunel wrote: > Well, for the record there is a patch[1] for doing just that (and a > bit more) actually. Because indeed a few upstreams do not provide > signatures of the source code directly, but either detached sig of > a checksum file, or checksums as a signed message. The patch in question > handles both cases. > > And as it happens, it will work with firefox upstream, amongst others. > (Though not with the .dsc files from Debian mentionned in this thread.) > > Cheers, > > > [1] > https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Hmm, I had forgotten that. I see that Allan objected to that on the grounds that upstream could re-release the sums e.g. after adding a new artifact to the hundred or so in the Firefox file. So you would either have spurious failures, or be unable to detect re-releases. Although I don't know if there are any stats on how often a checksums file will get updated by upstream like that. Is that a significant concern? -- Eli Schwartz
signature.asc
Description: OpenPGP digital signature
