On 2014-08-17 16:20:34 +0800 (+0800), Thomas Goirand wrote: > But then in which way will you check that the said upstream tarball, > without any upstream checksum, is valid? At least tags are > signed...
You keep coming back to the assumption that upstreams don't provide signed lists of checksums. I would wager that the percentage of upstreams who sign VCS tags are probably (within reasonable margin of error) roughly equivalent to the number who sign lists of file checksums or provide detached signatures of the release files themselves, so this argument seems specious. > Also, why the forensic investigation wouldn't instead check that the > generated tarballs are really based on the correct PGP signed tags? [...] If there is a release-time build step between the VCS tag and the tarball, then this can become nontrivial. -- Jeremy Stanley -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140818204725.gw1...@yuggoth.org