Lastly, I think it is to important to remind that AUR packages are not officially supported (as community maintained packages). It may be convenient but it just makes getting the actual information harder in my opinion. In my opinion, it is more trustworthy to have the PKGBUILD clearly stating what key it is expecting (whether it is correct/up-to-date or not) than having to actually launch a build against the said PKGBUILD to get the information (since with such an auto-updating mechanism, you cannot guarantee that the key noted in the validpgpkeys array is indeed the one returned by the validpgpkeys=() function, until you actually run it yourself). Moreover, I think it's important to keep the PKGBUILD as clear and as intelligible as possible, not only for its maintenance but also for trust reasons. For what it's worth, such mechanism has been implemented in this package once but was quickly reverted due to it being objectively wrong. Additionally, having it automatically importing the key in user's local keyring would be even less expected ('# Maybe even:' part in your proposal). I assume such a change should be acknowledged, verified and edited properly by the package maintainers themself, as it's supposed to be for pkgver or checksums changes for instance (with the exception of -git packages by their nature, obviously). While the information you gave may be valuable security wise I don't think such workflow would be expected:įirst of all, while it may not be convenient in Spotify's specific case (since they tend to change the signing GPG key often, even between two releases), I don't think having a "self-updating" PKGBUILD on that front would be expected. Your proposal is interesting but I'm not convinced it's the way to go though (as you kinda said yourself). Thanks for your detailed input on the matter.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |