FS#67194 - [vbam] use signed git tag
Attached to Project:
Community Packages
Opened by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 21:47 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 18:17 GMT
Opened by T.J. Townsend (blakkheim) - Saturday, 04 July 2020, 21:47 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 18:17 GMT
|
Details
Description:
The vbam-sdl / vbam-wx packages have a "validpgpkeys" line, but the source URL does not actually make use of them. The attached patch switches to the signed version of the git tag. |
This task depends upon
Closed by freswa (frederik)
Sunday, 13 September 2020, 18:17 GMT
Reason for closing: Fixed
Additional comments about closing: vbam 2.1.4-3
Sunday, 13 September 2020, 18:17 GMT
Reason for closing: Fixed
Additional comments about closing: vbam 2.1.4-3
If there is a simpler way to use the pgp-signed version of the hash, let me know and I'll redo it.
Edit: Also, don't change the URL (removing .git), you invalidate previous clones.
Edit2: The hash is preferred because upstreams can't be trusted not to rewrite history. It's amazing how often it happens.
_commit=(09fbcbac07148ea32add848722dab34a7eb4f6b5) # v2.1.4
source=("git+https://github.com/visualboyadvance-m/visualboyadvance-m?signed#tag=${_commit}")
I still get:
visualboyadvance-m git repo ... SIGNATURE NOT FOUND
https://github.com/visualboyadvance-m/visualboyadvance-m/tags
Assuming the way in the original diff (which does verify the signature) is wrong, could you show the proper way to handle this? Thanks.
Why would you call it _commit when it's not a commit? Why a separate variable at all?
Personally, I prefer to have the hash in a separate variable for ease of updating, but one universal rule of submitting patches is to not change the author's style.