On Sat, 18 Feb 2012 16:25:20 +0200 Christoph Anton Mitterer <calestyo@scientia.net> wrote: > Am 18.02.2012 14:40, schrieb Neil Williams: > >> I think as a start it should be made a policy that any "wrapper" > >> package that > >> downloads code from the net must at least do a strong checksum check > >> on the > >> downloaded code. > > Not possible to enforce as a 'MUST' because, by definition, > > third-party > > websites will not provide checksums for every possible download > > mechanism. > > Well it's still possible then,... the maintainer can just calculate > sums on his own. Against what? The source is only downloaded from upstream once per upstream release, what is there to check against? -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgpkBKTsCxViZ.pgp
Description: PGP signature