On Nov 26, 2014, at 12:40 AM, Leo Singer wrote: > I maintain one port (ds9) for which the upstream source tarball is posted on > an http (no TLS) server. When I uploaded the initial version of the port, I > recorded the hashes that I calculated from the tarball. There is an update > available. I asked the developer if he could put a cryptographic hash on an > https server. He sent me an RMD160 and a SHA1 hash, but in an unsigned > e-mail. So technically, I have no way to check that the sources have not been > tampered with. I don't think upstream has the resources to set up an https > server. > > Am I being way too paranoid? Should I just take the sources and hashes that I > have?
That's what I do. _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev
