Dealing with autotools
Toshio Kuratomi
a.badger at gmail.com
Sat May 9 19:22:07 UTC 2009
martin f krafft wrote:
> also sprach Toshio Kuratomi <a.badger at gmail.com> [2009.05.09.2006 +0200]:
>> 1) Is source url canonical?
>> 2) Download tarball from source url.
>> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to
>> build package.
>>
>> (If you're the maintainer, you don't have to do step 3)
>
> you *should* though, and insist on a trust path to the author, or
> else all I ever have to do to harm all Fedora people is DNS-poison
> a Fedora maintainer's connection.
>
Well -- the reason that the Fedora maintainer doesn't have to do #3 is
that there isn't a package until the fedora maintainer puts it together.
In response to DNS poisoning, the only ways I know of to get around that
are:
1) Check against the tarballs in other distros packages.
2) Upstream provides gpg signatures of either the tarball or a checksum
file.
#2 is great when it is available :-)
>> 4) Pull the latest source from the repo
>> 5) untar the tarball
>> 6) Diff between the source repo and the tarball
>> 7) For the differences between the source repo and tarball check that:
>> * the differences are due to a file generated in the creation of the
>> tarball (like configure or Makefile.in)
>> * files that won't matter to the build (upstream has a HOW_TO_RELEASE
>> file in the repo that isn't in the tarball)
>> * other things that are more subtle :-( (permissions on files,
>> versions substituted into files at tarball creation time, etc)
>
> Yes; or make sure that upstream understands to build the tarball
> from a tag, and not the other way around: tag after the tarball was
> built.
>
You still have all the other steps since we're talking about verifying here.
I think we're in agreement about everything else :-)
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/vcs-pkg-discuss/attachments/20090509/a170b43a/attachment.pgp>
More information about the vcs-pkg-discuss
mailing list