Hi, why has the source moved from gtp.gnu.org to invisible-island.net? The sources are still available on gnu.
Moreover, the ftp.gnu.org over https is encouraged, and this was already working
The "server timing out for me" mostly points to an issue with your own network. Does anyone of you have a direct involvement with invisible-island.net? Or has a way and TIME to verify the sources from there actually match?
In the sense of, yes invisible-island.net is fine as it is directly maintained by the developer of ncurses, who also signs the packages. Nevertheless, isn't it riskier to use a non gnu website when this is available? Just consider the risk of any website being compromised, and then consider which website will find out first between gnu and a smaller one
Pinned Comments
WoefulDerelict commented on 2016-05-23 19:35 (UTC) (edited on 2018-08-18 20:22 (UTC) by WoefulDerelict)
This PKGBUILD verifies the authenticity of the source via PGP signatures which are not part of the Arch Linux keyring. In order to complete the process it is necessary to import the key(s) from the ‘validpgpkeys’ array into the user’s keyring before calling makepkg. There is a helpful article explaining this process by one of Arch Linux's developers located here: http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/
Instructions on importing keys from a keyserver and how to automate the retrieval process can be found in the Arch Linux wiki here: https://wiki.archlinux.org/index.php/GnuPG#Use_a_keyserver This article also contains helpful information describing the installation of GnuPG, its configuration and usage.
Execute the following to import keys using gpg:
gpg --recv-keys <KEYID - See 'validpgpkeys' array in PKGBUILD>The PGP signature check can be skipped by passing --skippgpcheck to makepkg.
Consult the makepkg manual page for a full list of options. [https://www.archlinux.org/pacman/makepkg.8.html]