Package Details: python-jwcrypto v0.6.0.r0.g5d991eb-1

Git Clone URL: (read-only, click to copy)
Package Base: python-jwcrypto
Description: Python implementation of JWK, JWS, JWE specifications
Upstream URL:
Licenses: LGPL3
Submitter: abdo
Maintainer: abdo
Last Packager: abdo
Votes: 0
Popularity: 0.000000
First Submitted: 2019-04-27 09:53
Last Updated: 2019-05-11 09:26

Sources (1)

Latest Comments

abdo commented on 2019-05-11 09:56

Apologies for the version problem. I forgot to update the version in the PKGBUILD file. Now it should be ok.

@1ace I know that the upstream repo uses tags. However, I prefer using the hash for a public PKGBUILD, because the hash gives some assurance that the contents of the repo you get, are the same as the ones I saw when I built the PKGBUILD for myself. If I used tags, and the upstream repository got compromised, someone could very easily introduce malicious code and tag it with v0.6.0.

It turns out that recent python-jwcrypto tags are signed by the author. I could add a validpgpkeys entry on the PKGBUILD an ask makepkg to verify the tag signature. However this is not completely transparent, as it requires the users of this PKGBUILD to have gnupgp working and install the package author public key manually.

1ace commented on 2019-05-11 07:14

Upstream uses tags, you should point to those in your PKGBUILD instead of a commit hash (replace #commit=${_commit} with #tag=v$pkgver).

You should also drop the pkgver() as it makes the package version never match the one on the AUR, making it recompile on every update even though the new package is identical to the old one.

CanalGuada commented on 2019-04-29 17:17

Final pkgver doesn't match the one in PKGBUILD and .SRCINFO. Thus this package always requires to be rebuilt since it unnecessary looks like it is outdated.

Please update these two files accordingly. Or simply remove the pkgver() function in PKGBUILD if you don't want to track more than the upstream tag with pkgver as per wiki