You are not logged in.
- Topics: Active | Unanswered
#1 2025-02-27 14:38:30
- superkikim
- Member
- Registered: 2025-02-27
- Posts: 2
[Solved] davfs2 package: suspicious changes and pgp check failing
Hi,
I'm not a dev. Just a concerned user.
Today, An update to davfs2 1.7.1-2 was detected. But the pgpcheck fails.
Digging into the issue, I found that between 24th of feb (1.7.1-1) and 26th of feb (1.7.1-2), the source has been changed in the package from gnu to github.
So can anyone tell me if this is a security issue ? or, just a mistake from the maintainer ?
Age Commit message (Expand) Author
19 hours update project home Nicolas Lorin
4 days update to 1.7.1 Nicolas Lorindiff --git a/.SRCINFO b/.SRCINFO
index 8d55ea3c6aa0..d949ea9bc551 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,8 +1,8 @@
pkgbase = davfs2
pkgdesc = File system driver that allows you to mount a WebDAV folder
pkgver = 1.7.1
- pkgrel = 1
- url = https://savannah.nongnu.org/projects/davfs2
+ pkgrel = 2
+ url = https://github.com/alisarctl/davfs2
arch = armv7h
arch = aarch64
arch = x86_64
@@ -11,8 +11,8 @@ pkgbase = davfs2
depends = po4a
backup = etc/davfs2/davfs2.conf
backup = etc/davfs2/secrets
- source = https://download-mirror.savannah.gnu.org/releases/davfs2/davfs2-1.7.1.tar.gz
- source = https://download-mirror.savannah.gnu.org/releases/davfs2/davfs2-1.7.1.tar.gz.sig
+ source = https://github.com/alisarctl/davfs2/releases/download/rel-1-7-1/davfs2-1.7.1.tar.gz
+ source = https://github.com/alisarctl/davfs2/releases/download/rel-1-7-1/davfs2-1.7.1.tar.gz.sig
validpgpkeys = 51A0F4A0C8CFC98F842EA9A8B94556F81C85D0D5
sha512sums = 187a2ccd8946fbd659cbb96165fe5523c9c4f2ba855087bc0493ebce198a5ec581543576f0dd2a8e5da96c4abcc10bb83fcb3d5b573aa72bd1871a9f3914c364
sha512sums = SKIP
diff --git a/PKGBUILD b/PKGBUILD
index a20b537f3441..17999410e261 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,15 +5,15 @@
pkgname=davfs2
pkgver=1.7.1
-pkgrel=1
+pkgrel=2
pkgdesc="File system driver that allows you to mount a WebDAV folder"
arch=('armv7h' 'aarch64' 'x86_64')
-url="https://savannah.nongnu.org/projects/${pkgname}"
+url="https://github.com/alisarctl/${pkgname}"
license=('GPL')
depends=('neon' 'po4a')
backup=(etc/${pkgname}/${pkgname}.conf etc/${pkgname}/secrets)
validpgpkeys=('51A0F4A0C8CFC98F842EA9A8B94556F81C85D0D5') # Ali Abdallah <aabdallah@suse.com>
-source=(https://download-mirror.savannah.gnu.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz{,.sig})
+source=(https://github.com/alisarctl/${pkgname}/releases/download/rel-${pkgver//./-}/${pkgname}-${pkgver}.tar.gz{,.sig})
sha512sums=('187a2ccd8946fbd659cbb96165fe5523c9c4f2ba855087bc0493ebce198a5ec581543576f0dd2a8e5da96c4abcc10bb83fcb3d5b573aa72bd1871a9f3914c364'
'SKIP')Last edited by superkikim (2025-02-28 19:00:20)
Offline
#2 2025-02-27 15:09:56
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 24,096
Re: [Solved] davfs2 package: suspicious changes and pgp check failing
The project has officially moved to github: https://savannah.nongnu.org/news/?id=10692 ideally the pgp check does not get affected by this however.
Offline
#3 2025-02-28 14:11:27
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,345
Re: [Solved] davfs2 package: suspicious changes and pgp check failing
Please post the command you used and its full output for the PGP failure.
Offline
#4 2025-02-28 19:00:01
- superkikim
- Member
- Registered: 2025-02-27
- Posts: 2
Re: [Solved] davfs2 package: suspicious changes and pgp check failing
Hmmmm... I tried again tonight to answer your question, and it updated successfully. I guess the mirrors I used were not yet in sync. Next time I'll know it might take one or two days.
Offline