https://bugs.winehq.org/show_bug.cgi?id=39859
--- Comment #7 from Austin English austinenglish@gmail.com --- (In reply to Sebastian Lackner from comment #6)
(In reply to Vincent Povirk from comment #5)
We could have Wine verify signatures, but instead we rely on a hardcoded hash. I'm not sure https is even used.
Checking a hash is even more secure than relying on signatures, so I do not see any real disadvantage here, no matter if HTTPS is used or not.
Good point.
I'm not really sure yet whats the best way to do this. It doesn't really belong into the Wine package itself, and we potentially need multiple versions for stable/devel/staging in the same repository. When only the version number is different, older packages might get purged after some time.
Mmm, good point. Perhaps have the gecko/mono package names match the 'branch' name, e.g., wine-gecko-stable, wine-gecko-devel, wine-gecko-staging (not ideal, I realize, but as long as they're in the same repo that may be the best option). wine-gecko-staging may not be needed, at least until y'all start patching gecko in addition to wine ;)