Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#73243 - nano - unused old pgp keys in PKGBUILD have to be imported when building
Attached to Project:
Arch Linux
Opened by jello (jello123) - Monday, 03 January 2022, 16:00 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 04 January 2022, 09:02 GMT
Opened by jello (jello123) - Monday, 03 January 2022, 16:00 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 04 January 2022, 09:02 GMT
|
DetailsDescription:
The nano PKGBUILD seems to have some outdated pgp keys in it which need to be imported if you build the package, they do not seem to be required to verify the source. Additional info: * package version(s) nano 6.0-1 * config and/or log files etc. https://github.com/archlinux/svntogit-packages/blob/packages/nano/trunk/PKGBUILD * link to upstream bug report, if any https://forum.artixlinux.org/index.php/topic,3475.msg22498 Steps to reproduce: Build from the PKGBUILD, I needed to import outdated keys and find a keyserver that had them along with the current one that is in use. Looking about at some other random PKGBUILD's, icu keeps various pgp keys for reference but comments them out, which seems a better approach if you wanted to keep them as a memo just in case. Possibly other packages might also be able to be improved in this way, "kwave" lists 3 keys but only one is required. Of course if there was a situation where different keys were used randomly to sign releases then you might really need to have more than one, but otherwise it's probably just a waste of time and resources having unused keys which then need to be imported in the validpgpkeys field. In the case of nano though, one very old key is from a former maintainer and the current maintainer is using his current key to sign the download, so including his old expired one as well seems redundant to me. icu PKGBUILD for comparison: https://github.com/archlinux/svntogit-packages/blob/master/icu/trunk/PKGBUILD |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Tuesday, 04 January 2022, 09:02 GMT
Reason for closing: Fixed
Additional comments about closing: fix committed to trunk for future builds
Tuesday, 04 January 2022, 09:02 GMT
Reason for closing: Fixed
Additional comments about closing: fix committed to trunk for future builds
Comment by Allan McRae (Allan) -
Monday, 03 January 2022, 21:15 GMT
You do not need to import all keys in validpgpkeys to build a package. Only the currently used one.