El dissabte, 18 d’agost de 2018, a les 15:41:38 CEST, Thomas Jarosch va escriure: > Hello Albert, > > is there any way to verify the integrity of poppler source releases? > > I didn't spot a GPG signature for the tarball > or a simple SHA256 / MD5 checksum. > > If a gpg signature is too much effort, it would already help if there's > an official sha256sum in the release announcement on the mailinglist. > (https://lists.freedesktop.org/archives/poppler/2018-July/013275.html) > > That would help to verify the download server has not been tampered with.
You mean you're afraid somebody hacked on freedesktop git and replaced https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0 to a different commit than the one that I originally tagged? Cheers, Albert > > Thanks in advance! > Thomas Jarosch > > > > _______________________________________________ > poppler mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/poppler > _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
