On 2022-05-30 07:46, Allan McRae wrote: > On 30/5/22 06:25, Jonas Witschel wrote: > > Nevertheless I would love to see more (ideally all) packages using pinned > > tag > > object hashes over tag names, which I think would provide a tangible > > security > > benefit. > > I thought this was already the standard. There were lots of bug reports > (and a todo list?) to remove people using a tag a while back. > > Is there just a lack of detailed PKGBUILD guidelines? I could not find it in the package guidelines, so there is definitely a documentation issue. Therefore I amended the wiki accordingly:
https://wiki.archlinux.org/index.php?title=Arch_package_guidelines&diff=731044&oldid=726554 On 2022-05-29 23:20, Morten Linderud wrote: > I think namcap should get support for warning against this. There is quite a > bit > of room for improvement over this I reckon. This sounds like a good idea as well in order to increase visibility, since it can be hard to keep up with guideline changes (especially if not communicated via a mailing list discussion or an RFC, unlike this one). Cheers, Jonas -- Jonas Witschel Arch Linux Developer, Trusted User and security team member PGP key: FE2E6249201CA54A4FB90D066E80CA1446879D04
signature.asc
Description: PGP signature
