On Sat, Feb 18, 2012 at 04:42:38PM -0200, Henrique de Moraes Holschuh wrote: > > Against what? The source is only downloaded from upstream once per > > upstream release, what is there to check against? > > Upstream VCS, previous releases (when the diff is small enough), request > that upstream publish in an email message the sha1sum or sha256sum when they > announce a new release, etc. A good part of upstreams use git, let's educate them about signed tags. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices.
Attachment:
signature.asc
Description: Digital signature