On Tue, 05 Jul 2011 11:01:15 +0200, AS (Andreas) wrote: > > The uploaded tarball checksum enters the "sources" file in git, and any > > tarball downloaded from the lookaside cache MUST match that checksum. > > Else it wouldn't be downloaded and used. Source RPM build in koji would > > fail. > > That won't help if the tarball is already defective when uploaded. The > checksum is basically only used to identify the blob in the cache, at > most to detect cache corruptions.
And I didn't claim otherwise. The post I replied to already had mentioned: | For Fedora, package maintainers are responsible for uploading verified | tar balls to the fedora build system. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
