Alexander Larsson

The bundled sources is not an extension though. Like, it has not extension point in the app, and the app does not need, nor use the bundled sources.

I know that the supposed "new" location is metainfo. However, there is no practical difference from using the two, except that "metainfo" doesn't work on runtimes that have older versions...

Sure.

I don't think its a great idea to pull in a dependency on dpkg, because either all distros will need to packaged deb, or app authors can't rely on the...

@gasinvein Its available on some distros yes, but it is rarely installed. Pulling in a hard dep on it is not an easy sell.

_From @cgwalters on December 20, 2015 15:28_ See also https://github.com/cgwalters/git-evtag

First of all, i don't think a sha256 checksum (which is mandated for all remote archives in builder) is weak. It is actually stronger than e.g. any git signatures, which...

_From @cmacq2 on December 21, 2015 16:45_ Just a point of terminology: GIT commit IDs/checksums are SHA1. SHA1 is cryptographically broken but still valid for checksumming purposes (just as MD5...

_From @cmacq2 on December 21, 2015 16:54_ As for how to implement this for tarballs: a detached PGP signature is probably the way to go. See c.f. machinectl man page...

> So that signature is a strong as the cryptographic strength of the underlying PGP key material This is not true. A git commit is a small file with commiter,...