On 05/09/2014 11:19 AM, Wael M. Nasreddine wrote:
> ---
> .travis.yml | 10 ++++++++++
> 1 file changed, 10 insertions(+)
> create mode 100644 .travis.yml
>
> diff --git a/.travis.yml b/.travis.yml
> new file mode 100644
> index 0000000..8d92cdc
> --- /dev/null
> +++ b/.travis.yml
> @@ -0,0 +1,10 @@
> +language: c
> +before_install:
> + - sudo apt-get update -qq
> + - wget
> 'https://launchpad.net/ubuntu/+archive/primary/+files/zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb'
> + - wget
> 'https://launchpad.net/ubuntu/+archive/primary/+files/zlib1g_1.2.8.dfsg-1ubuntu1_amd64.deb'
> + - sudo dpkg -i zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb
> zlib1g_1.2.8.dfsg-1ubuntu1_amd64.deb
The above strikes me as a problem waiting to happen.
If there are specific versions of zlib that need to be installed, and we
know what the package is that needs to be installed, at the very least,
the scripts to fetch each package should verify a strong cryptographic
digest of the package before directly installing it from the network.
if the digest doesn't match, then the script should abort with a
failure, before installing the packages.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL:
<http://notmuchmail.org/pipermail/notmuch/attachments/20140509/6d480033/attachment.pgp>
