also sprach Toshio Kuratomi <a.bad...@gmail.com> [2009.05.09.2122 +0200]: > >> 3) sha1sum tarball just downloaded matches with sha1sum tarball used to > >> build package. > >> > >> (If you're the maintainer, you don't have to do step 3) > > > > you *should* though, and insist on a trust path to the author, or > > else all I ever have to do to harm all Fedora people is DNS-poison > > a Fedora maintainer's connection. > > > Well -- the reason that the Fedora maintainer doesn't have to do #3 is > that there isn't a package until the fedora maintainer puts it together.
Ah, I meant: > In response to DNS poisoning, the only ways I know of to get > around that are: > 1) Check against the tarballs in other distros packages. > 2) Upstream provides gpg signatures of either the tarball or > a checksum file. The maintainer should ensure that the tarball used to create a package is pristine, just like s/he should ensure that building from a VCS tag has the desired effect. -- .''`. martin f. krafft <madd...@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems (a)bort, (r)etry, (p)retend this never happened
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
_______________________________________________ vcs-pkg-discuss mailing list vcs-pkg-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/vcs-pkg-discuss
