martin f krafft wrote: > also sprach Toshio Kuratomi <a.bad...@gmail.com> [2009.05.09.2006 +0200]: >> 1) Is source url canonical? >> 2) Download tarball from source url. >> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to >> build package. >> >> (If you're the maintainer, you don't have to do step 3) > > you *should* though, and insist on a trust path to the author, or > else all I ever have to do to harm all Fedora people is DNS-poison > a Fedora maintainer's connection. > Well -- the reason that the Fedora maintainer doesn't have to do #3 is that there isn't a package until the fedora maintainer puts it together.
In response to DNS poisoning, the only ways I know of to get around that are: 1) Check against the tarballs in other distros packages. 2) Upstream provides gpg signatures of either the tarball or a checksum file. #2 is great when it is available :-) >> 4) Pull the latest source from the repo >> 5) untar the tarball >> 6) Diff between the source repo and the tarball >> 7) For the differences between the source repo and tarball check that: >> * the differences are due to a file generated in the creation of the >> tarball (like configure or Makefile.in) >> * files that won't matter to the build (upstream has a HOW_TO_RELEASE >> file in the repo that isn't in the tarball) >> * other things that are more subtle :-( (permissions on files, >> versions substituted into files at tarball creation time, etc) > > Yes; or make sure that upstream understands to build the tarball > from a tag, and not the other way around: tag after the tarball was > built. > You still have all the other steps since we're talking about verifying here. I think we're in agreement about everything else :-) -Toshio
Description: OpenPGP digital signature
_______________________________________________ vcs-pkg-discuss mailing list firstname.lastname@example.org http://lists.alioth.debian.org/mailman/listinfo/vcs-pkg-discuss