On Thu, Mar 07, 2024 at 05:26:08PM -0500, pgnd via Postfix-users wrote:
> I understand the "only official" release sources are the tarballs,
>
> TARBALL DL FROM MIRROR SITE
> wget
> https://mirror.reverse.net/pub/postfix-release/official/postfix-3.8.6.tar.gz
> sha1sum postfix-3.8.6.tar.gz
> 19a387be8e3c2be239d7b4009a6b0b4af96b5c23
> postfix-3.8.6.tar.gz
> tar zxvf postfix-3.8.6.tar.gz
> sha1sum $(find -type f -iname "postfix.c")
> deb2575c7788ea1703e3b306333dbd4a3cf3f3cf
> ./postfix-3.8.6/src/postfix/postfix.c
>
> For my own workflow/convenience, my pref is to grab Viktor Dukhovni's
> (unofficial?) git mirror release-tag's archive tarball,
My github repo is not an official alternative distribution mechanism.
It primarily serves my own needs, and secondarily the needs of
developers or users who want a convenient way to examine Postfix
development history.
> Is there a convenient/reliable method to similarly verify the entire
> archive tarball, &/or the github repo source ?
I do not sign the release tags, so no there is no way to check that they
match Wietse's code, other than by comparing against Wietse's signed
tarballs.
If Wietse some day chooses to release Postfix via github, he may at that
point choose to generate signed release tags.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
