On Mon, December 4, 2017 15:01, Martok wrote: > >>> SourceForge gives checksums, too: >> >> true, clicking on the 'i' in the rightmost column shows a popup with md5 >> and sha1 hashes. > Of course, that doesn't prove nobody has tampered with the files as > present on SF.net, which is the entire point of signed releases.
That comes back to the point about the root source of trust. The recent discussion was more about the data transfer consistency. > I take it there's also no Debian reproducible build? Not of particular use > to me personally, but I like the idea, especially for a compiler. Debian releases are performed by a Debian maintainer, not the FPC team. IIRC, there have been some changes triggered by this maintainer in an attempt to ensure reproducible builds. Tomas _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal