Am 05.12.2016 um 23:45 schrieb Eli Schwartz via arch-general:
> On 12/05/2016 05:25 PM, sivmu wrote:
>> A LOT of packages do not use pgp validation even though upstream
>> provides signatures. That is the real issue here.
>>
>> Let me say this again: everyone who is responsible for arch packages
>> needs to be clearly advised to use all available methods to effectively
>> verify upstream source files.
>>
>> Using a strong hash by default won't do that.
> 
> AUR packages, or repo packages? There was a todo list[1] for the repos.
> 
> For anything in the AUR you should definitely drop a comment on their
> page. And change the wiki guidelines on packaging standards to mention this.
> 

Wow thanks for the link, I did not kow that yet. That looks awesome.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to