Hello Gordon,
On Thu, 2017-02-09 at 12:38 -0800, Gordon Messmer wrote:
Git already has the protection you're looking for. As part of its core design, git uses a hash chain to verify the integrity of its history. Every change and every file is thus protected. It's impossible to insert changes or to modify the history of the git repository in a way that wouldn't be extremely visible to all users.
If you check out a module using git, and fetch its external sources using get_sources.sh, you can rest assured that every file used to build an RPM has been hashed and verified.
Alright, understood. Only the sources downloaded with get_sources.sh need a checksum then. Which are the ones in <package>.metadata.
Thanks for clearing this up and sorry Johnny for the fuzz :) .
Regards, Leonard.