On Sun, May 29, 2022 at 10:25:52PM +0200, Jonas Witschel wrote: > > This best practice of using pinned tag object hashes could then be enforced by > a tool like your recently created archlinux-inputs-fsck [3]. Note that this > project currently does not recognise PKGBUILDs with pinned tag hashes as > secure > (because it does not distinguish between regular tag names and object hashes). > For the reasons outlined by the previous posters I don't think this assessment > as currently made by archlinux-inputs-fsck is justified [4].
I think namcap should get support for warning against this. There is quite a bit of room for improvement over this I reckon. -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
