On Fri, Jul 07, 2023 at 04:07:31PM +0200, Jeremie Courreges-Anglas wrote: > I'm not completely sold on zapping CHECK_PGPSIG, and using a specific > make target, instead of handling this in make checksum. Using the > checksum target would be more strict I guess.
Depends who you're targetting. Assuming the guy updating the port is doing the check, and thus making it easy in "make makesum" would have some kind of purpose. I'm pretty sure wacky shitz like signing something that's not the actual tgz deserves special treatment. If anything, talk to upstream so that they have somewhat standard behavior. There's some kind of chicken-and-egg: anything that gets (normally) downloaded is in distfile/supdistfiles. If you're checking signatures on a dpb capable box, how do you make sure the asc files don't get removed ? they have to be in history (like SUPDISTFILES). So, figure out the best workflow... checksum or makesum ? sha256 for .asc files as well ? put them in SUPDISTFILES ?
