On Fri, 16 Dec 2016 16:04:06 -0500 Eli Schwartz <[email protected]> wrote:
> On 12/16/2016 03:40 PM, Olivier Brunel wrote: > > Well, for the record there is a patch[1] for doing just that (and a > > bit more) actually. Because indeed a few upstreams do not provide > > signatures of the source code directly, but either detached sig of > > a checksum file, or checksums as a signed message. The patch in > > question handles both cases. > > > > And as it happens, it will work with firefox upstream, amongst > > others. (Though not with the .dsc files from Debian mentionned in > > this thread.) > > > > Cheers, > > > > > > [1] > > https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html > > Hmm, I had forgotten that. I see that Allan objected to that on the > grounds that upstream could re-release the sums e.g. after adding a > new artifact to the hundred or so in the Firefox file. So you would > either have spurious failures, or be unable to detect re-releases. Not exactly, as long as you put the hash of the file in the PKGBUILD, any change from upstream would be cought. I believe what Allan pointed out was that using SKIP for the file could lead to such things, but that would be a packaging rule to follow to ensure things don't happen.
