Dealing with autotools
martin f krafft
madduck at debian.org
Sun May 10 07:01:23 UTC 2009
also sprach Toshio Kuratomi <a.badger at gmail.com> [2009.05.09.2122 +0200]:
> >> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to
> >> build package.
> >>
> >> (If you're the maintainer, you don't have to do step 3)
> >
> > you *should* though, and insist on a trust path to the author, or
> > else all I ever have to do to harm all Fedora people is DNS-poison
> > a Fedora maintainer's connection.
> >
> Well -- the reason that the Fedora maintainer doesn't have to do #3 is
> that there isn't a package until the fedora maintainer puts it together.
Ah, I meant:
> In response to DNS poisoning, the only ways I know of to get
> around that are:
> 1) Check against the tarballs in other distros packages.
> 2) Upstream provides gpg signatures of either the tarball or
> a checksum file.
The maintainer should ensure that the tarball used to create
a package is pristine, just like s/he should ensure that building
from a VCS tag has the desired effect.
--
.''`. martin f. krafft <madduck at d.o> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems
(a)bort, (r)etry, (p)retend this never happened
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL: <http://lists.alioth.debian.org/pipermail/vcs-pkg-discuss/attachments/20090510/c81f7887/attachment.pgp>
More information about the vcs-pkg-discuss
mailing list