Hi, I maintain one port (ds9) for which the upstream source tarball is posted on an http (no TLS) server. When I uploaded the initial version of the port, I recorded the hashes that I calculated from the tarball. There is an update available. I asked the developer if he could put a cryptographic hash on an https server. He sent me an RMD160 and a SHA1 hash, but in an unsigned e-mail. So technically, I have no way to check that the sources have not been tampered with. I don't think upstream has the resources to set up an https server.
Am I being way too paranoid? Should I just take the sources and hashes that I have? I have tried to check the sources against the Debian package, but the Debian maintainer checked in just a subset of the upstream source because there are several dependencies bundled with it. This is not a security-critical package, but it is used widely, perhaps daily, by people in my domain. Thanks, Leo Singer _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev
