FS#69875 - [zstd] use signed release

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Wednesday, 03 March 2021, 22:26 GMT
Last edited by Eli Schwartz (eschwartz) - Friday, 14 May 2021, 21:42 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jelle van der Waa (jelly)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Attached diff switches the zstd package to a PGP-signed git tag for authenticity.
   zstd.diff (1.3 KiB)
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Friday, 14 May 2021, 21:42 GMT
Reason for closing:  Implemented
Additional comments about closing:  In trunk
Comment by Levente Polyak (anthraxx) - Wednesday, 03 March 2021, 22:47 GMT
I don't think this is something we can bootstrap trust on and put it into a stone table. If you look at the history most tags are just done by github.
If you wish to have this, please open an issue upstream and discuss providing signed released and which set of keys is to trust.
please reference the upstream ticket that you open here as well.
Comment by T.J. Townsend (blakkheim) - Wednesday, 03 March 2021, 22:54 GMT
Ok, I will make a github account tonight and open an issue there.
Comment by T.J. Townsend (blakkheim) - Wednesday, 03 March 2021, 23:06 GMT
https://github.com/facebook/zstd/issues/2520
Comment by T.J. Townsend (blakkheim) - Friday, 14 May 2021, 21:39 GMT
This can be closed. https://github.com/archlinux/svntogit-packages/commit/5a83ea503fada195fc366065db9e5b23741d3417
Comment by Eli Schwartz (eschwartz) - Friday, 14 May 2021, 21:39 GMT
The latest version (1.5.0) introduces PGP-signed tarballs, see the release notes.

Reopening.

Loading...