Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#69968 - [qtile] use signed git tag
Attached to Project:
Community Packages
Opened by T.J. Townsend (blakkheim) - Saturday, 13 March 2021, 00:18 GMT
Last edited by David Runge (dvzrv) - Friday, 26 March 2021, 18:13 GMT
Opened by T.J. Townsend (blakkheim) - Saturday, 13 March 2021, 00:18 GMT
Last edited by David Runge (dvzrv) - Friday, 26 March 2021, 18:13 GMT
|
DetailsDescription:
Attached diff switches the qtile package to use a PGP-signed git tag for authenticity. Additional info: Key is on keyserver.ubuntu.com 
qtile.diff
(1.4 KiB)
|
This task depends upon
Closed by David Runge (dvzrv)
Friday, 26 March 2021, 18:13 GMT
Reason for closing: Won't implement
Additional comments about closing: Upstream does not provide chain of trust and a document stating valid PGP key IDs used for releases.
https://github.com/qtile/qtile/issues/23 27 tracks this upstream
Friday, 26 March 2021, 18:13 GMT
Reason for closing: Won't implement
Additional comments about closing: Upstream does not provide chain of trust and a document stating valid PGP key IDs used for releases.
https://github.com/qtile/qtile/issues/23 27 tracks this upstream
As long as upstream does not provide a central document about who is the release manager, which keys are expected to be used for release verification and introduces a chain of trust, this change does not provide any improvement in regards to supply chain security.