On Monday 27 September 2010, Giuseppe Ghibò wrote: > The secure > one would download the tarball automatically from the original > repositories: > > e.g.: suppose there is a package SPEC file containing: > > Source: http://blabla.com/openssh-5.5-1.tar.xz > Source1: http://blabla.com/openssh-5.5.1.tar.sig > > An automatic system would try to retrieve from the http://blabla.com/ site > the packages > http://blabla.com/openssh-5.5-1.tar.xz, or if not exists > http://blabla.com/openssh-5.5-1.tar.bz2 or > http://blabla.com/openssh-5.5-1.tar.gz or > http://blabla.com/openssh-5.5-1.tar. Then would retrieve the signature > http://blabla.com/openssh-5.5.1.tar.sig and would check with the one from > the Database of signatures which has been already populated on the secure > system. If the signatures checking would match, then tarball would be > uploaded to the "secure" system svn and used for building instead of the > one from the contributor/package maintainer. > > [Of course the system would fail if the package maintainer has downloaded > the source tarball from the svn and not from a canonical repository, and to > be further secure this system would require also signing of Patches]. >
... or just use git, which ensures the source code integrity. -- Say NO to spam and viruses. Stop using Microsoft Windows! _______________________________________________ Mageia-dev mailing list [email protected] https://www.mageia.org/mailman/listinfo/mageia-dev
