Le 16/12/2016 à 22:24, Olivier Brunel a écrit : > On Fri, 16 Dec 2016 16:04:06 -0500 > Eli Schwartz <[email protected]> wrote: > >> On 12/16/2016 03:40 PM, Olivier Brunel wrote: >>> Well, for the record there is a patch[1] for doing just that (and a >>> bit more) actually. Because indeed a few upstreams do not provide >>> signatures of the source code directly, but either detached sig of >>> a checksum file, or checksums as a signed message. The patch in >>> question handles both cases. >>> >>> And as it happens, it will work with firefox upstream, amongst >>> others. (Though not with the .dsc files from Debian mentionned in >>> this thread.) >>> >>> Cheers, >>> >>> >>> [1] >>> https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html >> Hmm, I had forgotten that. I see that Allan objected to that on the >> grounds that upstream could re-release the sums e.g. after adding a >> new artifact to the hundred or so in the Firefox file. So you would >> either have spurious failures, or be unable to detect re-releases. > Not exactly, as long as you put the hash of the file in the PKGBUILD, > any change from upstream would be cought. I believe what Allan pointed > out was that using SKIP for the file could lead to such things, but > that would be a packaging rule to follow to ensure things don't happen.
I totally agree with this. :) Quite funnily, this is why I thought the feature I would like makepkg to have was easy to have, because having already downloaded the signed file to add its sha*sum to the corresponding array, it allowed makepkg to correctly parse it with whatever I had put in the sha*sum array, while this doesn’t work if the file isn’t already downloaded. Bruno
signature.asc
Description: OpenPGP digital signature
