to be).
A "source code build process" is clearly just the build process in a
trenchcoat.
cheers,
kpcyrd
e to better use.
Or perhaps stop using tarballs in Debian as sole permitted
form of source.
I'd be fine with that.
cheers,
kpcyrd
On 4/3/24 4:21 AM, Adrian Bunk wrote:
On Wed, Apr 03, 2024 at 02:31:11AM +0200, kpcyrd wrote:
...
I figured out a somewhat straight-forward way to check if a given `git
archive` output is cryptographically claimed to be the source input of a
given binary package in either Arch Linux or Debian
posed to give guidance on what to code review. This is also why I
think code signing by upstream is somewhat low priority, since the big
distros can form consensus around "what's the source code" regardless.
https://github.com/kpcyrd/backseat-signed
The README shows how to veri
or defunct tho, please do not make assumptions unless
you tested them, many of them have a `check:` section for automatic
integration testing):
https://github.com/kpcyrd/sh4d0wup
The name is derived from "shadow updates" that carry a valid signature
(through private key abuse) b
5 matches
Mail list logo
