also sprach Toshio Kuratomi <> [2009.05.09.2122 +0200]:
> >> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to
> >> build package.
> >>
> >> (If you're the maintainer, you don't have to do step 3)
> > 
> > you *should* though, and insist on a trust path to the author, or
> > else all I ever have to do to harm all Fedora people is DNS-poison
> > a Fedora maintainer's connection.
> > 
> Well -- the reason that the Fedora maintainer doesn't have to do #3 is
> that there isn't a package until the fedora maintainer puts it together.

Ah, I meant:

> In response to DNS poisoning, the only ways I know of to get
> around that are:
> 1) Check against the tarballs in other distros packages.
> 2) Upstream provides gpg signatures of either the tarball or
> a checksum file.

The maintainer should ensure that the tarball used to create
a package is pristine, just like s/he should ensure that building
from a VCS tag has the desired effect.

 .''`.   martin f. krafft <madd...@d.o>      Related projects:
: :'  :  proud Debian developer     
`. `'`
  `-  Debian - when you have better things to do than fixing systems
(a)bort, (r)etry, (p)retend this never happened

Attachment: digital_signature_gpg.asc
Description: Digital signature (see

vcs-pkg-discuss mailing list

Reply via email to