martin f krafft wrote:
> also sprach Toshio Kuratomi <> [2009.05.09.2006 +0200]:
>> 1) Is source url canonical?
>> 2) Download tarball from source url.
>> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to
>> build package.
>> (If you're the maintainer, you don't have to do step 3)
> you *should* though, and insist on a trust path to the author, or
> else all I ever have to do to harm all Fedora people is DNS-poison
> a Fedora maintainer's connection.
Well -- the reason that the Fedora maintainer doesn't have to do #3 is
that there isn't a package until the fedora maintainer puts it together.

In response to DNS poisoning, the only ways I know of to get around that
1) Check against the tarballs in other distros packages.
2) Upstream provides gpg signatures of either the tarball or a checksum

#2 is great when it is available :-)

>> 4) Pull the latest source from the repo
>> 5) untar the tarball
>> 6) Diff between the source repo and the tarball
>> 7) For the differences between the source repo and tarball check that:
>>   * the differences are due to a file generated in the creation of the
>> tarball (like configure or
>>   * files that won't matter to the build (upstream has a HOW_TO_RELEASE
>> file in the repo that isn't in the tarball)
>>   * other things that are more subtle :-(  (permissions on files,
>> versions substituted into files at tarball creation time, etc)
> Yes; or make sure that upstream understands to build the tarball
> from a tag, and not the other way around: tag after the tarball was
> built.
You still have all the other steps since we're talking about verifying here.

I think we're in agreement about everything else :-)


Attachment: signature.asc
Description: OpenPGP digital signature

vcs-pkg-discuss mailing list

Reply via email to