Re: RFS: Several packages waiting sponsor
On Sun, Dec 26, 2010 at 09:29:00AM +0100, Innocent De Marchi wrote:
> Thank you very much for your attention!
And one more issue, and that's something I see frequently with newcomers,
so I hope that some other new maintainers may read this mail too and avoid
it in the future:
Please don't alter the original released tar file from your upstream.
Just rename it.
Before sponsoring something I always download the original upstream release
and check provided checksums and signatures if possible. Why is this
important? Take a look at the recent mirror compromise of the Proftpd project.
In this case sadly upstream doesn't provide any checksums or signatures
which is not ideal and something one should ask for. But still the checksum
of the upstream released tarball and the .orig. file on mentors differ.
Please fix this and only build with the original, renamed upstream tarball.
And I don't know much, but I do know this:
With a golden heart comes a rebel fist.
[ Streetlight Manifesto - Here's To Life ]