[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Standardizing the layout of git packaging repositories

On 2014-08-17 16:20:34 +0800 (+0800), Thomas Goirand wrote:
> But then in which way will you check that the said upstream tarball,
> without any upstream checksum, is valid? At least tags are
> signed...

You keep coming back to the assumption that upstreams don't provide
signed lists of checksums. I would wager that the percentage of
upstreams who sign VCS tags are probably (within reasonable margin
of error) roughly equivalent to the number who sign lists of file
checksums or provide detached signatures of the release files
themselves, so this argument seems specious.

> Also, why the forensic investigation wouldn't instead check that the
> generated tarballs are really based on the correct PGP signed tags?
[...]

If there is a release-time build step between the VCS tag and the
tarball, then this can become nontrivial.
-- 
Jeremy Stanley
Reply to: