On Thu, Mar 07, 2024 at 05:26:08PM -0500, pgnd via Postfix-users wrote: > I understand the "only official" release sources are the tarballs, > > TARBALL DL FROM MIRROR SITE > wget > https://mirror.reverse.net/pub/postfix-release/official/postfix-3.8.6.tar.gz > sha1sum postfix-3.8.6.tar.gz > 19a387be8e3c2be239d7b4009a6b0b4af96b5c23 > postfix-3.8.6.tar.gz > tar zxvf postfix-3.8.6.tar.gz > sha1sum $(find -type f -iname "postfix.c") > deb2575c7788ea1703e3b306333dbd4a3cf3f3cf > ./postfix-3.8.6/src/postfix/postfix.c > > For my own workflow/convenience, my pref is to grab Viktor Dukhovni's > (unofficial?) git mirror release-tag's archive tarball,
My github repo is not an official alternative distribution mechanism. It primarily serves my own needs, and secondarily the needs of developers or users who want a convenient way to examine Postfix development history. > Is there a convenient/reliable method to similarly verify the entire > archive tarball, &/or the github repo source ? I do not sign the release tags, so no there is no way to check that they match Wietse's code, other than by comparing against Wietse's signed tarballs. If Wietse some day chooses to release Postfix via github, he may at that point choose to generate signed release tags. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org