Hi,
I want to start a discussion about AUR packages signing. If this debate
already happened, it means that I'm not really good with Google or
unfortunate in the keywords I used in my searches: in these cases
forgive me and just give me some pointers.
TL;DR I personally "trust" some AUR users who
On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
> Hi,
>
> I want to start a discussion about AUR packages signing. If this debate
> already happened, it means that I'm not really good with Google or
> unfortunate in the keywords I used in my searches: in these cases
> forgive me a
On Fri, Aug 8, 2014 at 10:06 AM, Dave Reisner wrote:
> On Thu, Aug 07, 2014 at 09:57:24PM +0200, Fabien Dubosson wrote:
>> Hi,
>>
>> I want to start a discussion about AUR packages signing. If this debate
>> already happened, it means that I'm not really good with Google or
>> unfortunate in the k
> I did read your proposal, but my comment can be framed in the context of
> your tl;dr:
You had to be motivated, afterwards it looks horribly long ;-)
> You don't really seem to want GPG signatures, just a whitelist of
> package maintainers by name. Any AUR helper could implement support for
> t
On Fri, Aug 8, 2014 at 8:35 AM, Fabien Dubosson
wrote:
> [...]
>
> But it has not the same meaning. Maintainer's name gives me the
> information that I am installing a package that claims to be provided by
> this maintainer, or uploaded with this maintainer account. GPG
> signatures will add the c
On 08/08/14 02:53 AM, Martti Kühne wrote:
> On Fri, Aug 8, 2014 at 8:35 AM, Fabien Dubosson
> wrote:
>> [...]
>>
>> But it has not the same meaning. Maintainer's name gives me the
>> information that I am installing a package that claims to be provided by
>> this maintainer, or uploaded with this
In the past, what packages provided by AUR needed signing, because after
uploading somebody manipulated the packages? AFAIK https for the AUR
downloads and checksums for the upstream downloads in the past didn't
cause that often serious trouble, IIRC it usually was safe.
Is there such a security m
> I love that I can make changes and proceed doing so in the course of
> building and installing a PKGBUILD from the AUR. So the PKGBUILDs I
> usually install aren't cryptographically similar to the package AUR
> would provide, deeming any cryptographic signing mechanism useless.
The idea of signi
On 08/08/14 03:43 AM, Ralf Mardorf wrote:
> In the past, what packages provided by AUR needed signing, because after
> uploading somebody manipulated the packages? AFAIK https for the AUR
> downloads and checksums for the upstream downloads in the past didn't
> cause that often serious trouble, IIR
On Fri, 08 Aug 2014 at 10:02:30, Daniel Micay wrote:
> On 08/08/14 03:43 AM, Ralf Mardorf wrote:
> > In the past, what packages provided by AUR needed signing, because after
> > uploading somebody manipulated the packages? AFAIK https for the AUR
> > downloads and checksums for the upstream downloa
> On a side note, with the release of AUR 4.0.0, we are no longer going
> to use source tarballs. Every source package will have its own Git
> repository and you can use signed tags or signed commits.
Actually that is more than a side note, that answers my main concern.
Glad to hear that it would
11 matches
Mail list logo
