FS#70325 - [nodejs] use signed git tag

Attached to Project: Community Packages
Opened by T.J. Townsend (blakkheim) - Wednesday, 07 April 2021, 01:01 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 17 September 2023, 09:02 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Attached diff switches the nodejs package to a PGP-signed git tag for authenticity.
This task depends upon

Closed by  Jelle van der Waa (jelly)
Sunday, 17 September 2023, 09:02 GMT
Reason for closing:  Deferred
Comment by Allan McRae (Allan) - Wednesday, 07 April 2021, 01:38 GMT
Tags can be moved... We should only use git commit IDs in our packages.
Comment by Eli Schwartz (eschwartz) - Wednesday, 07 April 2021, 01:49 GMT
Technically the canonical download location is NOT github, but rather https://nodejs.org/dist/v15.14.0/node-v15.14.0.tar.gz

They do provide a PGP-signed SHASUMS256.txt but we can't use indirectly signed manifests in makepkg

I think the best solution here is to open a ticket with the nodejs team asking them to, in addition to signing the checksum file, also sign the tarballs themselves.
Comment by T.J. Townsend (blakkheim) - Wednesday, 07 April 2021, 03:55 GMT
Agreed about contacting upstream to get proper signed tarballs being the ideal situation.
Comment by Brett Cornwall (ainola) - Sunday, 14 August 2022, 18:38 GMT
@mysta, were you able to contact upstream?
Comment by T.J. Townsend (blakkheim) - Sunday, 14 August 2022, 18:44 GMT
Sent an email and will post an updated diff if they do it.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...