On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh mail-lists@karan.org wrote:
hi,
given that srpms contain upstream tarballs, in most cases directly linked from upsream; I wonder if its worth while setting up a service that can track git commits, extract the urls for our lookaside tarballs and compare them with the upstream projects's release tarballs.
this would be a great addition to the ci.dev.centos.org infra, and could add another data point to the 'can-we-trust-this' mindset.
- KB
When it works, it could be useful for verification of the source tarballs. The difficulty I see is that some of the published Source URL's are transient. As they become even slightly out of date, many projects move aside older versions to an "archive" subdirectory, or re-arrange their websites at whim. I ran into this with Nagios last year, and software that installs Nagios from tarballs.
So it's potentially useful, but there's no guarantee that those URL's are valid for even 5 seconds after the original SPEC file was written.