FS#63970 - [sway] Include PGP package checking
Attached to Project:
Community Packages
Opened by Brett Cornwall (ainola) - Tuesday, 01 October 2019, 01:22 GMT
Last edited by Brett Cornwall (ainola) - Tuesday, 15 October 2019, 04:02 GMT
Opened by Brett Cornwall (ainola) - Tuesday, 01 October 2019, 01:22 GMT
Last edited by Brett Cornwall (ainola) - Tuesday, 15 October 2019, 04:02 GMT
|
Details
The Github release tarballs have an accompanying .sig file.
It would be good to use those.
|
This task depends upon
Closed by Brett Cornwall (ainola)
Tuesday, 15 October 2019, 04:02 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream had fixed this the day it was reported. I've released a new version that restores GPG verification. The response times for this could have been much better.
Lessons learned from this:
* Do not remove GPG keys unless there is good reason to do so (perhaps seek a second opinion)
* Unsavory comments toward fellow packagers do not help the situation and likely worsen it.
* Keep all interested parties in the loop when contacting an outside source
* Follow through quick fixes sooner rather than later, particularly when politics get involved.
Tuesday, 15 October 2019, 04:02 GMT
Reason for closing: Fixed
Additional comments about closing: Upstream had fixed this the day it was reported. I've released a new version that restores GPG verification. The response times for this could have been much better.
Lessons learned from this:
* Do not remove GPG keys unless there is good reason to do so (perhaps seek a second opinion)
* Unsavory comments toward fellow packagers do not help the situation and likely worsen it.
* Keep all interested parties in the loop when contacting an outside source
* Follow through quick fixes sooner rather than later, particularly when politics get involved.
The PGP signatures used to work, until they got mysteriously dropped during pkgver=1.2_rc2 which got built from git (and required an epoch to recover from). Did we really drop signatures just because someone was too busy to package a release candidate to even ask what was up with that key?
I tried to resist answering, but as i'm answering anyway:
It is a absolute no go without excuse to drop signatures and proceed when a signature doesn't apply, that's literally the worst thing that could happen. It is technically detected that there is a verification issue with the authenticity then it must be properly resolved, otherwise its not different to clicking 'Suppress and continue" on a popup that tells you "This piece of software is not what the author expects it to be, it may be malicious". I am frankly very much frustrated to see gpg handling like this happening